Embed block - add allowed tag and attributes

[rchlfryn]

Description

The GenericEmbed block was stripping essential attributes needed for third-party widgets like Donorbox. DOMPurify's sanitization was removing the custom <dbox-widget> tag and critical attributes (async, campaign, enable-auto-scroll) required for the widget to function properly.

This PR updates the DOMPurify configuration to whitelist these tags and attributes, allowing Donorbox and similar custom element-based embeds to work correctly.

Related Issues

Fixes #816

Key Changes

• Added dbox-widget to ADD_TAGS in DOMPurify config to allow custom widget elements
• Added async attributes to support asynchronous script loading
• Added campaign and enable-auto-scroll attributes for Donorbox widget configuration
• Alphabetized the ADD_ATTR array for better maintainability

How to test

• Navigate to the CMS admin and create/edit a page with a GenericEmbed block
• Add the following Donorbox embed code:

<script type="module" src="https://donorbox.org/widgets.js" async></script>
<dbox-widget campaign="sac-donate-alternatives" type="donation_form" enable-auto-scroll="true"></dbox-widget>

• Save and view the page on the frontend
• Verify the Donorbox donation form renders correctly and is interactive
• Inspect the iframe content to confirm the async attribute is present on the script tag and custom attributes are present on the dbox-widget element

Screenshots / Demo video

https://www.loom.com/share/fa3cb08b237240268b2a88c5afc13698

Future enhancements / Questions

Monitor whether other third-party widgets require additional whitelisted attributes
Evaluate if the iframe approach has limitations for certain widgets (some may require page-level script loading)

[github-actions]

Preview deployment: https://add-attrs-embeds.preview.avy-fx.org

[andyanderso]

Thanks @rchlfryn! Now we get to see if it does actually load faster in the real world. From your loom, it looks like the load speed difference is noticeable.