Rich Content Editor HTML Whitelist

Tags html ckeditor

Overview

There are several places in the TeamDynamix software which allow the entry of rich HTML content (usually via a CKEditor control). These places include:

  • Client Portal HTML headers and footers configured in TDAdmin > Organization Settings > Site Settings
  • TDNext and TDClient login prompts configured in TDAdmin > Organization Settings > Site Settings
  • Knowledge Base Article content
  • Service Catalog Service bodies
  • Question bodies and answers
  • HTML desktop modules configured in TDAdmin > Desktop Templates > HTML Modules

These locations, while allowing rich HTML content, sanitize it outbound during the rendering process. This article serves to document which items are whitelisted for usage. Anything outside of these lists will be stripped from the saved content before display. It should also be noted that sanitization happens in the detail pages where the rich content is displayed in the page, not in the content editing pages which contain CKEditor controls. While you may see content appear in the CKEditor control that is outside of the sanitization lists while editing, that content will be stripped out in the associated item's detail page when rendered.

Only HTML desktop modules have a framework, via the TDAdmin administrator Create/Modify Unsanitized HTML Modules permission, to bypass this sanitization during HTML module creation and editing. At this time, there is no way to disable the sanitization in any of the other areas.

The only way to be granted the TDAdmin administrator Create/Modify Unsanitized HTML Modules permission is to specifically enter a support request or implementation project issue for it. TeamDynamix has to grant this permission out on an admin-by-admin basis.

If you need to use something in one of these areas which is not currently allowed, please submit a feature request here with the relevant details and business case. Please note that feedback on this KB is not monitored for feature requests.

Allowed HTML Tags

The list of HTML tags (between < and > ) allowed in rich content.

  • a
  • abbr
  • acronym
  • address
  • area
  • article
  • aside
  • b
  • big
  • blockquote
  • br
  • button
  • caption
  • center
  • cite
  • code
  • col
  • colgroup
  • dd
  • del
  • dfn
  • dir
  • div
  • dl
  • dt
  • em
  • fieldset
  • figcaption
  • figure
  • font
  • footer
  • h1
  • h2
  • h3
  • h4
  • h5
  • h6
  • header
  • hr
  • i
  • img
  • input
  • ins
  • kbd
  • label
  • legend
  • li
  • map
  • mark
  • nav
  • ol
  • optgroup
  • option
  • p
  • pre
  • q
  • s
  • samp
  • section
  • select
  • small
  • span
  • strike
  • strong
  • sub
  • sup
  • table
  • tbody
  • td
  • textarea
  • tfoot
  • th
  • thead
  • tr
  • tt
  • u
  • ul
  • var
  • wbr

Image Width Restrictions and Resizing

Any images uploaded through the editor will be scaled down (with width as the constaint) if they exceed 900px in width. If you do not wish your images to be scaled down, ensure that they are already 900px wide or smaller before uploading. After the image is uploaded, you may attempt to scale up the image for display using HTML width and height attributes and/or inline CSS styles for width and height.

Size restrictions are especially impactful for animated GIFs of any sort. If an animated GIF is resized automatically during upload, the resize process has to resave the image, which in turn removes all animations! Be sure that any animated GIFs you intend to use are 900px wide or smaller. This will prevent automatic image resizing and removal of animations.

Iframe Exception URIs

HTML iframes are selectively allowed if the source (src) attribute value starts with one of the following domains (www prefixes in the domain are allowed):

  • http(s)://youtube.com/embed/
  • http(s)://youtube-nocookie.com/embed/
  • http(s)://player.vimeo.com/video/
  • http(s)://dailymotion.com/embed/video/
  • http(s)://google.com/maps/embed?
  • http(s)://bing.com/maps/embed/
  • http(s)://mapquest.com/embed?
  • http(s)://archive.org/embed/

Allowed HTML Attributes

The list of HTML tag elements allowed in rich content.

  • abbr
  • accept
  • accept-charset
  • accesskey
  • align
  • alt
  • axis
  • bgcolor
  • border
  • cellpadding
  • cellspacing
  • char
  • charoff
  • charset
  • checked
  • cite
  • class
  • clear
  • cols
  • colspan
  • color
  • compact
  • coords
  • datetime
  • dir
  • disabled
  • enctype
  • for
  • frame
  • headers
  • height
  • href
  • hreflang
  • hspace
  • ismap
  • label
  • lang
  • longdesc
  • maxlength
  • media
  • multiple
  • name
  • nohref
  • noshade
  • nowrap
  • prompt
  • placeholder
  • readonly
  • rel
  • rev
  • rows
  • rowspan
  • rules
  • scope
  • selected
  • shape
  • size
  • span
  • src
  • start
  • style
  • summary
  • tabindex
  • target
  • title
  • type
  • usemap
  • valign
  • value
  • vspace
  • width
  • scrolling
  • frameborder
  • marginheight
  • marginwidth
  • sandbox
  • seamless
  • allowfullscreen
  • mozallowfullscreen
  • webkitallowfullscreen
  • data-slide-to
  • data-ride
  • data-slide
  • data-target
  • data-interval
  • data-toggle
  • data-target

Allowed CSS Properties

The list of CSS properties allowed in style attributes in rich content.

  • background
  • background-attachment
  • background-clip
  • background-color
  • background-image
  • background-origin
  • background-position
  • background-repeat
  • background-size
  • border
  • border-bottom
  • border-bottom-color
  • border-bottom-style
  • border-bottom-width
  • border-collapse
  • border-color
  • border-left
  • border-left-color
  • border-left-style
  • border-left-width
  • border-radius
  • border-right
  • border-right-color
  • border-right-style
  • border-right-width
  • border-spacing
  • border-style
  • border-top
  • border-top-color
  • border-top-style
  • border-top-width
  • border-width
  • box-shadow
  • caption-side
  • clear
  • clip
  • color
  • content
  • counter-increment
  • counter-reset
  • cursor
  • direction
  • display
  • empty-cells
  • float
  • font
  • font-family
  • font-size
  • font-style
  • font-variant
  • font-weight
  • height
  • letter-spacing
  • line-break
  • line-height
  • list-style
  • list-style-image
  • list-style-position
  • list-style-type
  • margin
  • margin-bottom
  • margin-left
  • margin-right
  • margin-top
  • max-height
  • max-width
  • min-height
  • min-width
  • opacity
  • orphans
  • outline
  • outline-color
  • outline-style
  • outline-width
  • overflow
  • overflow-wrap
  • overflow-x
  • overflow-y
  • padding
  • padding-bottom
  • padding-left
  • padding-right
  • padding-top
  • page-break-after
  • page-break-before
  • page-break-inside
  • quotes
  • table-layout
  • text-align
  • text-align-last
  • text-decoration
  • text-indent
  • text-overflow
  • text-shadow
  • text-transform
  • unicode-bidi
  • vertical-align
  • visibility
  • white-space
  • widows
  • width
  • word-break
  • word-spacing
  • word-wrap
  • columns
  • -webkit-columns
  • -moz-columns

Allowed Data URI MIME Types

The list of allowed MIME types that can be used in HTML elements with source (src) attributes, like images. See the following code sample for reference. The red and bolded portion is the MIME type being checked.

<img alt="Embedded Image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA..." />
  • image/jpeg
  • image/pjpeg
  • image/gif
  • image/png
  • image/tiff
  • image/bmp
  • image/svg+xml

 

Allowed URI Schemes

The list of allowed URI schemes that can be used for HTML attribute values, typically for things like src or href attributes.

  • http
  • https
  • ftp
  • sftp
  • ftps
  • news
  • mailto
  • tel

Allowed URI Attributes

The list of allowed HTML attributes which can contain URIs. This should not be confused with plain text inside of HTML tags, like the body of a p or div tag. Those can contain any sort of plain text value desired. This is specifically for HTML attributes of an HTML element itself.

  • src
  • href
  • background
100% helpful - 2 reviews

Details

Article ID: 48230
Created
Fri 2/9/18 5:35 PM
Modified
Tue 11/26/19 12:38 PM