HTML sanitizer

For security purposes, the text editor only allows HTML tags designated as "safe" when it is in HTML mode. Refer to this document to view the HTML tags and attributes that are designated as "safe" in the text editor.

Note: Malformed HTML will not be accepted and cannot be saved in the text editor.

Tags allowed by default

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr, style, meta, title, source, audio, video, link, embed, object, param

Attributes allowed by default

abbr, accept, accept-charset, accesskey, action, align, alt, autocomplete, autosave, axis, bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset, checked, cite, clear, color, cols, colspan, compact, contenteditable, coords, datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers, height, high, href, hreflang, hspace, ismap, keytype, label, lang, list, longdesc, low, max, maxlength, media, method, min, multiple, name, nohref, noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt, pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan, rules, scope, selected, shape, size, span, spellcheck, src, start, step, style, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, wrap, class, id, href, face, unselectable, reoriginalpositionmarker, size, background, src, content, http-equiv

Note: The class attribute is not in the white list by default. It can be added as follows:


var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);

CSS properties allowed by default

background, background-attachment, background-color, background-image, background-position, background-repeat, border, border-bottom, border-bottom-color, border-bottom-style, border-bottom-width, border-collapse, border-color, border-left, border-left-color, border-left-style, border-left-width, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-size, font-style, font-variant, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-style, outline-width, overflow, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index, position, border, border-image, mso-list, mso-themecolor, mso-themetint, mso-style-textfill-fill-color, mso-style-textfill-fill-themecolor, mso-style-textfill-fill-alpha, mso-style-textfill-fill-colortransforms, mso-font-kerning, mso-table-lspace, -ms-text-size-adjust, -webkit-text-size-adjust, mso-table-rspace, transition, mso-bidi-font-family, mso-bidi-font-size, mso-bidi-font-weight, mso-spacerun, -webkit-text-stroke-width, -webkit-text-size-adjust, -webkit-font-smoothing, border-radius, -ms-interpolation-mode, mso-ascii-theme-font, mso-fareast-font-family, mso-fareast-theme-font, mso-hansi-theme-font, mso-bidi-font-family, mso-bidi-theme-font, mso-ansi-language, mso-fareast-language, mso-bidi-language, font-variant-ligatures, font-variant-caps, font-variant-caps, mso-hide, font-variant-numeric, mso-height-rule, mso-width-source, mso-width-alt, punctuation-wrap, -ms-word-break, language, mso-line-break-override, punctuation-wrap, tab-stops

CSS at-rules allowed by default

 namespace,
			 style,media, import

style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.

Note: The style tag is disallowed by default.

URI schemes allowed by default

http, https,
			 mailto

Note: Protocol-relative URLs (e.g. //github.com) are allowed by default (as are other relative URLs).to allow mailto: links:

sanitizer.AllowedSchemes.Add("mailto");

Attributes that contain URIs allowed by default

action, background, dynsrc, href, lowsrc, src

Note:

You can use the Script Editor to add JavaScript to questions, portal content boxes, and entry quotas,.

To access the Script Editor, click Edit Scripts.

Add Javascript to	Access to the Script Editor
Questions
Portal content boxes
Entry quotas