[4.0] Allow form elements in a subform template (sanitisation)

[dgrammatiko]

Pull Request for Issue #34512 (the subform part) .

Summary of Changes

• Revert the sanitisation here

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

@wilsonge can you push the button here?

[Fedik]

hm, do we really need cleaning for subform "template"?
it can be pretty complex for a forms, there may be fields with custom element, and fields with onclick attributes

[dgrammatiko]

and fields with onclick attributes

This is exactly what's not allowed and what the sanitizer is supposed to clean 😉

[Fedik]

then subfrom will be broken for these fields,
there may be fields that use it

[dgrammatiko]

then subfrom will be broken for these fields, there may be fields that use it

Hard call (thankfully not my call). Allowing inline on-events is XSS prone. Disallowing on-events is stricter but probably all elements will be required to be defined custom-elements (own constructor etc). I'm ok reverting this. @wilsonge your call...

[Fedik]

I understood the intention, and it good one.
but it pretty hard.

[richard67]

@dgrammatiko CS: https://ci.joomla.org/joomla/joomla-cms/45175/1/21

[dgrammatiko]

I understood the intention, and it good one.
but it pretty hard.

Till there's a viable solution for sanitization of the subform templates the changes have been reverted

[joomdonation]

I have tested this item ✅ successfully on 934208e

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.}

[alikon]

I have tested this item ✅ successfully on 934208e

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.}

[alikon]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34514.}

[richard67]

Thanks!