The HTML tag <object> optionally has embedded (child) tags that serve as an alternative (fallback) HTML representation for the object. Of course, the object and its parameters are considered harmful in HTML mail, but the alternative representation is meant for exactly this kind of situation. They should display the object contents without loading possibly insecure code.
- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets cleaned through $void_elements, they get ignored anyway, without removing the valuable child nodes.