Configure HTML sanitizer

You must modify a script include to make configuration changes to the HTML sanitizer.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Definition > Script Includes.
  2. Open HTMLSanitizerConfig.
  3. To add items to the black list, use the HTML_BLACKLIST class. To add items to the white list, use the HTML_WHITELIST class.

    Use this format:

    HTML_XXXXLIST :{
            globalAttributes :{ 
     
                attribute:[attribute-name1,...],
                attributeValuePattern:{ attribute-name2:attribute-value-regex-pattern,...}
     
            },<html-element-name>:{// Same as Above},----}
    • globalAttributes contains attribute or attributeValuePattern items that are applicable globally for all the HTML elements.
    • attribute is a comma-separated list of attributes.
    • attributeValuePattern is a dictionary of attribute to attribute-value-regex-pattern pairs. The attribute-value-regex-pattern is a regular expression which has to match the attribute value.

Example

Consider the following example:

HTML_WHITELIST:{
        globalAttributes:{
            attribute:["id","name"],},
        img:{
            attribute:["style","align"],
            attributeValuePattern:{src:".*jpeg"}}, 
        iframe:{},}

It adds the following items to the white list:

  • The global attributes id and name. This is a list of strings that can be applied globally to all the elements.
  • The img element where the attributes are style and align.
  • The img element where the source attribute of the image is a file with the .jpeg extension. This is an example of a regular expression pattern that matches an attribute value.
  • The iframe element.