This is related to http://stackoverflow.com/questions/3290766/htmlpurifier-adding-to-ignore-list. I have added a couple tags to the whitelist. I have this code now -
$config->set('HTML', 'AllowedElements', array("customreport", "column", "columnseq"));
$def = $config->getHTMLDefinition(true);
$def->addElement("customreport", 'Block', 'Flow', 'Common', array());
$def->addElement("column", 'Block', 'Inline', 'Common', array());
$def->addElement("columnseq", 'Inline', 'Empty', 'Common', array('path'=>'CDATA', 'label'=>'CDATA'));
The problem is, if I send a html tag which has the attribute value in single-quotes, htmlpurifier changes it to double-quotes. For e.g.
<columnseq path='test' label='tlabel' />
It happens even on the demo site (http://htmlpurifier.org/demo.php), with test string
<A HREF='http://www.google.com/'>XSS</A>
Can this behavior be over-ridden?