Why do CMS page updates strip 'rel' attributes out of scripts?

[Angstony_2]

First some background:
I've been working on creating a CMS picture gallery using this tutorial as a starting point. I've got it working nicely – and responsively too (except in IE) – by using css grid in custom code rather than a table, but I want fancybox to display as a slideshow so I need to add a rel="group" attribute to all of the a-links, but they're getting stripped out after saving the page.

Now I've actually managed to work around this by editing the content column directly in the database – yes, I know the risks – and it works perfectly well as far as I can tell. So my question is, why are they stripped out by design and what might the consequences of my workaround be?

[lesley]

Do you have the html purifier turned on? That could be doing it.

[Angstony_2]

Thanks @lesley that was it. But now I'm curious: what does the html purifier do on TB and what are the consequences or disabling that?

[lesley]

Basically it strips some things out of the html so that it is safer and also reorganizes some things as well. It helps keep people from breaking things basically.

[Angstony_2]

Hmm… so what does that make the site vulnerable to? Mistakes by me, errors in underlying code, or malicious external attacks?

[lesley]

Mistakes by you and any modules that use the tinymce on the front end, depending on how they are programmed. There are not any that I can think of though off the top of my head, but I am sure there are some out there.

[Angstony_2]

Okay, thanks. I can live with that for now. If I do decide to re-enable it at some point at least I know that editing the database field directly won't do any harm.