Exploring HTML sanitizer
-
- UpdatedSep 5, 2023
- 2 minutes to read
- Vancouver
- Now Platform Security
Remove unwanted code and protect against security concerns such as cross-site scripting attacks by sanitizing HTML markup in HTML fields and translated HTML fields.
Use HTML sanitization to ensure HTML content within your instance doesn’t contain potentially harmful content. HTML sanitization works by removing HTML tags that could be used to compromise your instance, such as
<script>
, <link>
, or <embed>
tags that can be used to run unwanted scripts on your instance or direct your users to unwanted content. Safe tags that control the
formatting of your content are preserved. As an administrator, you're able to customize what content is removed or preserved. You’re also able to control whether sanitization applies to all content, or just fields you specify.
The HTML sanitizer works by checking the built-in inclusion list for markup that you always want to preserve. The sanitizer provides the HTMLSanitizerConfig script include that administrators can use to modify the built-in inclusion list. Items can also be added to the exclusion list to remove HTML markup. Contents of the exclusion list override the inclusion list.
- Global attributes
- Any HTML elements
href
and src
support only these protocols:http
https
mailto
data
Configure urlAttributes and the protocols
You can configure urlAttributes and their protocols in the HTMLSanitizer script include. For example:
Because notes
is in the inclusion list in this example, this URL isn’t sanitized: