ALLOW_CHILDREN and PURGE_WITHOUT_ATTRS can't be set at the same time

[darthnorman]

I want to use a certain tag that should be allowed to have children. In this case I'd use ALLOW_CHILDREN as a flag on my new tag.

But what if I want to allow it only if it has a specific attribute on it, like a must-have attribute?

I can't give it both flags, only one. So I have to decide whether it shows its content or shows itself if it has an attribute, but then it doesn't render the content inside of it.

Also, what is it with PURGE_WITHOUT_CHILDREN? This can't be used since you'd have to allow children in the first place. If I use this flag, I get "Tag %s does not allow children, but shall be purged without them", what's the point of setting this flag then?

[ohader]

Can you please give examples describing what you try to do and which input data (HTML) you're using? Thanks!

[darthnorman]

I want to allow the script-tag for structured data in json format. So the attribute I'd like it to have is type="application/ld+json" but I also have to allow children (the actual json code). When someone tries to abuse it by adding any other type or no type at all, it shouldn't be rendered. Thats why I'd need both flags, ALLOW_CHILDREN and PURGE_WITHOUT_ATTRS, wouldn't I?

[ohader]

There was an unexpected behavior when parsing <script></script> - which was considered having an empty text-node.
In contrast, parsing <div></div> did not register any child nodes. Thus, PHP's behavior for <script> tags seems to be special.

However, PURGE_WITHOUT_ATTRS is not a real protection for the given use-case. Lets assume id attrs were allowed in general on any tags. That would lead to the situation that the following tag still would be allowed.

<script id="identifier">alert(1)</script> // not purged by PURGE_WITHOUT_ATTRS

→ Thus, the long-term solution for e.g. allowing JSON-LD in <script> tags, would be to make particular attr values mandatory