HTML sanitizer
This article is based on the ServiceNow documentation article. See the original article on the ServiceNow doc site: ServiceNow: HTML sanitizer.
Remove unwanted code and protect against security concerns such as cross-site scripting attacks by sanitizing HTML markup in HTML fields and translated HTML fields.
The HTML sanitizer works by checking the built-in white list for markup that you always want to preserve. The sanitizer provides the HTMLSanitizerConfig script include that administrators can use to modify the built-in white list. Items can also be added to the black list, which overrides the white list, to remove HTML markup.
The following types of items can be added to white and black lists:
- Global attributes
- Any HTML elements
By default, URL attributes like href and src support only these protocols:
httphttpsmailtodata
For example:
<a href="https://community.servicenow.com/community">Now Community</a>
To learn more about the glide.html.sanitize_all_fields property that controls use of the HTML sanitizer, see HTML sanitizer (instance security hardening) in the Instance Security Hardening Guide.
Configure urlAttributes and the protocols
You can configure urlAttributes and their protocols in the HTMLSanitizer script include. For example:
HTML_WHITELIST : {
urlAttributes: { "protocols" : [ "file", "notes" ] },
- -
- -
}
Because notes is white listed in the example above, this URL is not sanitized:
<a title="Lotus" href="Notes://ABC/X575C90019DE33/ABC594DCB76D86EB4925653E0011C4C1/ZZ90B7E2D33964749257EEA003456FD">Lotus</a></p>
The default white list
BUILTIN_HTML_WHITELIST :{
globalAttributes:{ attribute:["id","class","lang","title","style"],
attributeValuePattern:{}},
label:{ attribute:["for"]},
font:{ attribute:["color","face","size"]},
a:{ attribute:["href","nohref","name","shape"]},
img:{ attribute:["src","name","alt","border","hspace","vspace","align","height","width"},
table:{ attribute:["border","cellpadding","cellspacing","bgcolor","background","align","no resize","height","width","summary","frame","rules"]},
th:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
td:{ attribute:["background","bicolor","abbr","axis","headers","scope","nowrap","height","width","align","valign","char off","char","colspan","rowspan"]},
tr:{ attribute:["background","height","width","align","valign","char off","char"]},
thead:{attribute:["align","valign","char off","char"]},
tbody:{attribute:["align","valign","char off","char"]},
tfoot:{attribute:["align","valign","char off","char"]},
colgroup:{attribute:["align","valign","char off","char","span","width"]},
col:{attribute:["align","valign","char off","char","span","width"]},
p:{attribute:["align"]},
style:{attributeValuePattern:{"type":"text/css"}}
canvas:{ attribute:["height","width"]},
details:{ attribute:["open"]},
summary:{ attribute:["open","valign","char off","char"]},
button:{ attribute:["disabled","accesskey","type"]},
form:{},
input:{ attribute:["size","maxlength","checked","alt","src","type","disabled","readonly","accesskey","border","usemap"]},
select:{ attribute:["disabled","multiple","size"]},
textarea:{ attribute:["rows","cols","disabled","readonly","accesskey"]},
option:{ attribute:["disabled","label","selected"]},
div:{ attribute:["align"]},
ol:{ attribute:["start","type","square"]}
ul:{ attribute:["type","square","itemscope","itemtype","itemref"]}
li:{ attribute:["value","fb__id","itemprop"]}
span:{ attribute:["color","size","data-mce-bogus","itemprop","face"]}
br:{ attribute:["clear"]}
h3:{ attribute:["itemprop"]}
html:{ attribute:["xmlns","lang","xml:lang"]}
link:{ attribute:["rel","type","href","charset"]}
meta:{ attribute:["name","content","scheme","charset","http-equiv"]}
pre:{ attribute:["xml:space"]}
noscript:{}, h1:{}, h2:{}, h4:{}, h5:{}, h6:{},
i:{}, b:{}, u:{}, strong:{}, em:{}, small:{}, big:{},
pre:{}, code:{}, cite:{}, samp:{}, sub:{}, sup:{},
strike:{}, center:{}, blockquote:{}, hr:{}, map:{},
dd:{}, dt:{}, dl:{}, fieldset:{}, legend:{}, figure:{}, tt:{},
body:{}, caption:{}, head:{}, title:{},var:{}, a shape:{},},
