HTML sanitizer

Remove unwanted code and protect against security concerns such as cross-site scripting attacks by sanitizing HTML markup in HTML fields and translated HTML fields.

The HTML sanitizer works by checking the built-in white list for markup that you always want to preserve. The sanitizer provides the HTMLSanitizerConfig script include that administrators can use to modify the built-in white list. Items can also be added to the black list, which overrides the white list, to remove HTML markup.

The following types of items can be added to white and black lists:
  • Global attributes
  • Any HTML elements
Note: By default, URL attributes like href and src support only these protocols:
  • http
  • https
  • mailto
  • data
For example:
<a href="https://community.servicenow.com/welcome">Community</a>

Configure urlAttributes and the protocols

You can configure urlAttributes and their protocols in the HTMLSanitizer script include. For example:

HTML_WHITELIST : {
urlAttributes: { “protocols" : [ "file", "notes" ] },
                -  -
                -  -
        }

Because notes is white listed in the example above, this URL is not sanitized:

<a title=“Lotus” href=“Notes://ABC/X575C90019DE33/ABC594DCB76D86EB4925653E0011C4C1/ZZ90B7E2D33964749257EEA003456FD”>Lotus</a></p> 

The Default White List

BUILTIN_HTML_WHITELIST :{
 
    globalAttributes:{ attribute:["id","class","lang","title","style"],
 
                                 attributeValuePattern:{}},
 
    label:{ attribute:["for"]},
 
    font:{ attribute:["color","face","size"]},
 
    a:{ attribute:["href","nohref","name","shape"]},
 
    img:{ attribute:["src","name","alt","border","hspace","vspace","align","height","width"},
 
    table:{ attribute:["border","cellpadding","cellspacing","bgcolor","background","align","no resize","height","width","summary","frame","rules"]},
 
    th:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
 
    td:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
 
    tr:{ attribute:["background","height","width","align","valign","char off","char"]},
 
    thead:{attribute:["align","valign","char off","char"]}, 
 
    tbody:{attribute:["align","valign","char off","char"]}, 
 
    tfoot:{attribute:["align","valign","char off","char"]}, 
 
    colgroup:{attribute:["align","valign","char off","char","span","width"]}, 
 
    col:{attribute:["align","valign","char off","char","span","width"]},
 
    p:{attribute:["align"]},
 
    style:{attributeValuePattern:{"type":"text/css"}}
 
    canvas:{ attribute:["height","width"]},
 
    details:{ attribute:["open"]},
 
    summary:{ attribute:["open","valign","char off","char"]},
 
    button:{ attribute:["name","value","disabled","accesskey","type"]},
 
    form:{ attribute:["action","name","autocomplete","method"]},
 
    input:{ attribute:["name","size","maxlength","autocomplete","checked","alt","src","type","value","disabled","readonly","accesskey","border","usemap"]},
 
    select:{ attribute:["name","disabled","multiple","size"]},
 
    textarea:{ attribute:["rows","cols","name","disabled","readonly","accesskey"]},
 
    option:{ attribute:["disabled","value","label","selected"]},
 
    div:{ attribute:["align"]},
 
    ol:{ attribute:["start","type","square"]}
 
    ul:{ attribute:["type","square","itemscope","itemtype","itemref"]}
 
    li:{ attribute:["value","fb__id","itemprop"]}
 
    span:{ attribute:["color","size","data-mce-bogus","itemprop","face"]}
 
    br:{ attribute:["clear"]}
 
    h3:{ attribute:["itemprop"]}
 
    html:{ attribute:["xmlns","lang","xml:lang"]}
 
    link:{ attribute:["rel","type","href","charset"]}
 
    meta:{ attribute:["name","content","scheme","charset","http-equiv"]}
 
    pre:{ attribute:["xml:space"]}
 
    noscript:{},    h1:{},    h2:{},      h4:{},    h5:{},    h6:{},   
 
    i:{},    b:{},    u:{},    strong:{},    em:{},    small:{},    big:{},   
 
    pre:{},    code:{},    cite:{},    samp:{},    sub:{},    sup:{},    
 
    strike:{},   center:{},  blockquote:{},    hr:{},      map:{},
 
    dd:{},    dt:{},    dl:{},  fieldset:{},    legend:{}, figure:{},  tt:{},
 
    body:{},   caption:{},   head:{},   title:{},var:{},  a shape:{},},