Who can use this feature?
- Global Administrators can customize HTML Content Allowlists in TDAdmin.
Several places in TeamDynamix allow the entry of formatted text, usually via a text editor called CKEditor. Formatted text content is stored as HTML, which is sanitized and displayed for the user when they view the formatted text. Certain content is always allowed, while some is always restricted. Administrators have the option to add additional permitted content in TDAdmin.
This article explains how formatted content is sanitized and how administrators can manage the HTML Content Allowlists that control sanitization.
In this article, we'll cover:
Formatted text content in TeamDynamix is stored as HTML and CSS. This content could be used to break, disrupt, or hijack the TeamDynamix system, and so it is sanitized when it is viewed in a page. Sanitizing means that any syntax that is not supported by TeamDynamix is removed before it is displayed.
Sanitization happens on the pages where the formatted content is displayed, not in the content editor, so you may see unsupported HTML content appear in the editor that doesn’t appear in the published view of the page.
There is a base set of allowed content types that is used throughout the system. Administrators can use the HTML Content Allowlists to add other content types that will be permitted within their organization. Additionally, HTML desktop modules have a framework to bypass this sanitization during HTML module creation and editing, via the TDAdmin administrator permission “Create/Modify Unsanitized HTML Modules”.
The only way to be granted the TDAdmin administrator Create/Modify Unsanitized HTML Modules permission is to submit a support request or report an implementation project issue for it. TeamDynamix grants this permission on an admin-by-admin basis.
If you need to use something in one of these areas that is not currently allowed, please submit a feature request here with the relevant details and business case. Please note that feedback on this KB is not monitored for feature requests.
Global administrators can manage which additional HTML content is allowed.
To add an entry to HTML content allowlists:
- In TDAdmin, navigate to Organization Settings > HTML Content Allowlists
- Select the specific allowlist in the left navigation
- Click Add Entry to add a row to the list of allowed items
- Enter the allowlist value in the Entry field
- Click Save
Additional controls:
- To disable individual allowlist entries, uncheck the Enabled box
- To delete an allowlist entry, click Delete under Actions
- Toggle all custom allowlist entries using the Enable All and Disable All links below the toolbar
- To view the default allowlist, click the Show Default Entries button
The following HTML elements (i.e., between < and >) are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.
- a
- abbr
- acronym
- address
- area
- article
- aside
- b
- big
- blockquote
- br
- button
- caption
- center
- cite
- code
- col
- colgroup
- dd
- del
- dfn
- dir
- div
- dl
- dt
- em
- fieldset
- figcaption
- figure
- font
- footer
- h1
- h2
- h3
- h4
- h5
- h6
- header
- hr
- i
- img
- input
- ins
- kbd
- label
- legend
- li
- map
- mark
- nav
- ol
- optgroup
- option
- p
- pre
- q
- s
- samp
- section
- select
- small
- span
- strike
- strong
- sub
- sup
- table
- tbody
- td
- textarea
- tfoot
- th
- thead
- tr
- tt
- u
- ul
- var
- wbr
Permanently-Disallowed HTML Elements
The following HTML elements cannot be added to allowlists:
- applet
- base
- body
- embed
- form
- frame
- frameset
- head
- html
- link**
- math
- meta
- noscript
- object
- param
- plaintext
- portal
- script*
- shadow
- slot
- style**
- svg
- template
- title
- Custom Elements
* Inline (JavaScript) <script> elements (not referencing an allowed external source file) are disallowed. See the Script Sources section for more information about how to allow external JavaScript files by source URLs. The following usage is disallowed:
<script type="text/javascript"> doCodeHere; </script>
** External and inline (CSS) <link> or <style> elements are disallowed. Neither of the following usages are allowed:
<link href="urlToMyStylesheet.css" rel="stylesheet" type="text/css" />
<style type="text/css"> .my-style { color: red; } </style>
The following HTML attributes are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.
- abbr
- accept
- accept-charset
- accesskey
- align
- allowfullscreen
- alt
- aria-describedby
- aria-expanded
- aria-haspopup
- aria-label
- aria-labeledby
- axis
- bgcolor
- border
- cellpadding
- cellspacing
- char
- charoff
- charset
- checked
- cite
- class
- clear
- color
- cols
- colspan
- compact
- coords
- data-interval
- data-ride
- data-slide
- data-slide-to
- data-target
- data-toggle
- datetime
- dir
- disabled
- enctype
- for
- frame
- frameborder
- headers
- height
- href
- hreflang
- hspace
- ismap
- label
- lang
- longdesc
- marginheight
- marginwidth
- maxlength
- media
- mozallowfullscreen
- multiple
- name
- nohref
- noshade
- nowrap
- placeholder
- prompt
- readonly
- rel
- rev
- role
- rows
- rowspan
- rules
- sandbox
- scope
- scrolling
- seamless
- selected
- selected
- shape
- size
- span
- src
- start
- style
- summary
- tabindex
- target
- title
- type
- usemap
- valign
- value
- vspace
- webkitallowfullscreen
- width
Permanently-Disallowed HTML Attributes
The following HTML attributes cannot be added to allowlists:
- id
- is
- autofocus
- formaction
- formmethod
- crossorigin
- data-title
- data-content
- data-html
- on* (JavaScript event handlers)
The following CSS properties are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.
Permanently-Disallowed CSS Properties
The following CSS properties cannot be added to allowlists:
- bottom
- contain
- filter
- isolation
- left
- position
- right
- top
- transform
- transform-origin
- transform-style
- transition
- transition-delay
- transition-duration
- transition-property
- transition-timing-function
- translate
- z-index
HTML iframes are allowed in TeamDynamix, but the source (src) attribute must be in the Iframe Sources allowlist. The following entries are added by default:
- http(s)://archive.org/embed/
- http(s)://bing.com/maps/embed/
- http(s)://dailymotion.com/embed/video/
- http(s)://google.com/maps/embed?
- http(s)://mapquest.com/embed?
- http(s)://player.vimeo.com/video/
- http(s)://web.microsoftstream.com/embed/video/
- http(s)://youtube.com/embed/
- http(s)://youtube-nocookie.com/embed/
When adding any additional iframe sources, you should be as specific as possible to limit the risk if the allowed site is compromised. You should select an appropriate path and query prefix that incorporates any organization-specific information.
For example, Kaltura embed URLs have a "partner ID" in them, and so a sample entry might look like:
https://cdnapisec.kaltura.com/p/<partnerID>/embedPlaykitJs/uiconf_id/
Similarly, Panopto embed URLs rely on a combination of organizational subdomain and video ID, and so sample entries might look like:
https://<org>.hosted.panopto.com/Panopto/Pages/Embed.aspx?id=
https://<org>.hosted.panopto.com/Panopto/Pages/Viewer.aspx?id=
HTML script elements are allowed in TeamDynamix, but the source (src) attribute must be in the Script Sources allowlist. The following entries are added by default:
- http://ai.ocelotbot.com/embed/standard/
- http://bot.ivy.ai/bot/script/category/
- http://prod.chatbot.aisera.cloud/
- http://staging.chatbot.aisera.cloud/
When adding any additional script sources, you should be as specific as possible to limit the risk if the allowed site is compromised. You should select an appropriate path and query prefix that incorporates any organization-specific information.
In addition to the restrictions on HTML content that can be managed with allowlists, there are some additional restrictions that are not configurable by administrators.
The list of allowed MIME types that can be used in HTML elements with source (src) attributes, like images. See the following code sample for reference. The red and bolded portion is the MIME type being checked.
<img alt="Embedded Image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA..." />
The following MIME types are allowed:
- image/jpeg
- image/pjpeg
- image/gif
- image/png
- image/tiff
- image/bmp
- image/svg+xml
The following is a list of allowed URI schemes that can be used for HTML attribute values, typically for things like src or href attributes:
- http
- https
- ftp
- sftp
- ftps
- news
- mailto
- tel
The following is a list of allowed HTML attributes that can contain URIs. This should not be confused with plain text inside of HTML tags, like the body of a p or div tag. Those can contain any sort of plain text value desired. This is specifically for HTML attributes of an HTML element itself:
HTML content is edited in the following locations:
- Client Portal login prompts, HTML headers and footers: TDAdmin > Applications > [Client Portal Application] > Settings > Site Settings
- TDNext login prompts: TDAdmin > Organization Settings > Site Settings
- HTML desktop modules: TDAdmin > Desktop Templates > HTML Modules
- Service Catalog Service content: TDClient > Services > New Service or Edit Service
- Service Catalog Service Offering content: TDClient > Services > [Service] > New Service Offering or Edit Service Offering
- Knowledge Base Article content: TDClient > Knowledge Base> New Article or Edit Article
- Question bodies and answers: TDClient > Questions > New Question or Edit Existing Question (or its Answers)