HTML sanitizer

The HTML sanitizer automatically cleans up HTML markup in HTML fields and translated HTML fields to remove unwanted code and protect against security concerns such as cross-site scripting attacks.

The HTML sanitizer works by checking the built-in white list for markup that you always want to preserve. The sanitizer provides the HTMLSanitizerConfig script include that administrators can use to modify the built-in white list. Items can also be added to the black list, which overrides the white list, to remove HTML markup.

The following types of items can be added to white and black lists:
  • Global attributes
  • Any HTML elements
Note: By default, URL attributes like href and src support only these protocols:
  • http
  • https
  • mailto
For example:
<a href="https://community.servicenow.com/welcome">Community</a>

The Default White List

BUILTIN_HTML_WHITELIST :{
 
    globalAttributes:{ attribute:["id","class","lang","title","style"],
 
                                 attributeValuePattern:{}},
 
    label:{ attribute:["for"]},
 
    font:{ attribute:["color","face","size"]},
 
    a:{ attribute:["href","nohref","name","shape"]},
 
    img:{ attribute:["src","name","alt","border","hspace","vspace","align","height","width"},
 
    table:{ attribute:["border","cellpadding","cellspacing","bgcolor","background","align","no resize","height","width","summary","frame","rules"]},
 
    th:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
 
    td:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
 
    tr:{ attribute:["background","height","width","align","valign","char off","char"]},
 
    thead:{attribute:["align","valign","char off","char"]}, 
 
    tbody:{attribute:["align","valign","char off","char"]}, 
 
    tfoot:{attribute:["align","valign","char off","char"]}, 
 
    colgroup:{attribute:["align","valign","char off","char","span","width"]}, 
 
    col:{attribute:["align","valign","char off","char","span","width"]},
 
    p:{attribute:["align"]},
 
    style:{attributeValuePattern:{"type":"text/css"}}
 
    canvas:{ attribute:["height","width"]},
 
    details:{ attribute:["open"]},
 
    summary:{ attribute:["open","valign","char off","char"]},
 
    button:{ attribute:["name","value","disabled","accesskey","type"]},
 
    form:{ attribute:["action","name","autocomplete","method"]},
 
    input:{ attribute:["name","size","maxlength","autocomplete","checked","alt","src","type","value","disabled","readonly","accesskey","border","usemap"]},
 
    select:{ attribute:["name","disabled","multiple","size"]},
 
    textarea:{ attribute:["rows","cols","name","disabled","readonly","accesskey"]},
 
    option:{ attribute:["disabled","value","label","selected"]},
 
    div:{ attribute:["align"]},
 
    ol:{ attribute:["start","type","square"]}
 
    ul:{ attribute:["type","square","itemscope","itemtype","itemref"]}
 
    li:{ attribute:["value","fb__id","itemprop"]}
 
    span:{ attribute:["color","size","data-mce-bogus","itemprop","face"]}
 
    br:{ attribute:["clear"]}
 
    h3:{ attribute:["itemprop"]}
 
    html:{ attribute:["xmlns","lang","xml:lang"]}
 
    link:{ attribute:["rel","type","href","charset"]}
 
    meta:{ attribute:["name","content","scheme","charset","http-equiv"]}
 
    pre:{ attribute:["xml:space"]}
 
    noscript:{},    h1:{},    h2:{},      h4:{},    h5:{},    h6:{},   
 
    i:{},    b:{},    u:{},    strong:{},    em:{},    small:{},    big:{},   
 
    pre:{},    code:{},    cite:{},    samp:{},    sub:{},    sup:{},    
 
    strike:{},   center:{},  blockquote:{},    hr:{},      map:{},
 
    dd:{},    dt:{},    dl:{},  fieldset:{},    legend:{}, figure:{},  tt:{},
 
    body:{},   caption:{},   head:{},   title:{},var:{},  a shape:{},},