Skip to content

Commit 3ba4c5d

Browse files
swierczekswierczek
committed
Reformat list of HTML tags and options
1 parent f3ce650 commit 3ba4c5d

File tree

1 file changed

+3
-19
lines changed

1 file changed

+3
-19
lines changed

docs/development/legacy/libraries/typography.md

Lines changed: 3 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -98,25 +98,9 @@ The Typography class has a number of class properties that you may wish to set b
9898

9999
(`string`) \[ **safe** / all / none \] — Controls how HTML is handled in text.
100100

101-
- `"safe"` allows the following HTML tags to be rendered in the DOM, while all other HTML tags are removed from the content.
102-
- `h2`, `h3`, `h4`, `h5`, `h6`
103-
- `abbr`
104-
- `b`
105-
- `blockquote`
106-
- `cite`
107-
- `code`
108-
- `del`
109-
- `em`
110-
- `i`
111-
- `ins`
112-
- `mark`
113-
- `pre`
114-
- `span`
115-
- `strong`
116-
- `sub`
117-
- `sup`
118-
- `"all"` allows all HTML tags to be rendered in the DOM. This is not recommended because it may allow users (who may not otherwise have access to edit templates) to inject HTML in unexpected places. For example, if the template is defined as `<p>{content}</p>`, but `{content}` itself is `<form><input></form>`, that will be rendered in the DOM as `<p><form><input></form></p>` which would essentially allow a user to add a form to a page via a `content` field that was probably not intended to be used in this way.
119-
- `"none"` converts all HTML tags to their encoded values (e.g. `<h1>` becomes `&lt;h1&gt;`) and will output it as text. This is the safest option because it prevents any unexpected HTML to be rendered in the DOM.
101+
- `"safe"` -- Allows the following HTML tags to be rendered in the DOM: `h2`, `h3`, `h4`, `h5`, `h6`, `abbr`, `b`, `blockquote`, `cite`, `code`, `del`, `em`, `i`, `ins`, `mark`, `pre`, `span`, `strong`, `sub`, `sup`. All other HTML tags are removed from the content.
102+
- `"all"` -- Allows all HTML tags to be rendered in the DOM. This is not recommended because it may allow users (who may not otherwise have access to edit templates) to inject HTML in unexpected places. For example, if the template is defined as `<p>{content}</p>`, but `{content}` itself is `<form><input></form>`, that will be rendered in the DOM as `<p><form><input></form></p>` which would essentially allow a user to add a form to a page via a `content` field that was probably not intended to be used in this way.
103+
- `"none"` -- Converts all HTML tags to their encoded values (e.g. `<h1>` becomes `&lt;h1&gt;`) and will output it as text. This is the safest option because it prevents any unexpected HTML to be rendered in the DOM.
120104

121105
### `$parse_images`
122106

0 commit comments

Comments
 (0)