HTML Content Allowlists

Overview

There are several places in TeamDynamix which allow the entry of formatted text, usually via a text editor called CKEditor. Formatted text content is stored as HTML, which is sanitized and displayed for the user when they view the formatted text.

As this article will explain how this sanitization works and how administrators can customize this process. Certain content is allowed at all times, and administrators can add additional allowed content in TDAdmin.

Where to Find This

TeamDynamix Administrators will manage HTML content allowlists in TDAdmin.

Navigate to HTML content allowlists following this path:

  • TDAdmin > Organization Settings > HTML Content Allowlists

Administrators, Service Catalog managers and Knowledge managers will use formatted content in a variety of places in TDAdmin and TDClient.

Navigate to HTML content following these paths:

  • Client Portal login prompts, HTML headers and footers: TDAdmin > Applications > [Client Portal Application] > Settings > Site Settings
  • TDNext login prompts: TDAdmin > Organization Settings > Site Settings
  • HTML desktop modules: TDAdmin > Desktop Templates > HTML Modules
  • Service Catalog Service content: TDClient > Services > New Service or Edit Service
  • Service Catalog Service Offering content: TDClient > Services > [Service] > New Service Offering or Edit Service Offering
  • Knowledge Base Article content: TDClient > Knowledge Base> New Article or Edit Article
  • Question bodies and answers: TDClient > Questions > New Question or Edit Existing Question (or its Answers)

Understanding HTML Sanitization

Formatted text content in TeamDynamix is stored as HTML and CSS. This content could be used to break, disrupt or hijack the TeamDynamix system and so it is sanitized when it is viewed in a page. Sanitizing means any syntax that is not supported by TeamDynamix is removed before it is displayed.

Sanitization happens on the pages where the formatted content is displayed, not in the content editor, so you may see unsupported HTML content appear in the editor that doesn’t appear in the published view of the page.

There is a base set of allowed content types that is used throughout the system. Administrators can use the HTML Content Allowlists to add other content types that will be permitted within their organization. Additionally, HTML desktop modules have a framework to bypass this sanitization during HTML module creation and editing, via the TDAdmin administrator permission “Create/Modify Unsanitized HTML Modules”.

If you need to use something in one of these areas which is not currently allowed, please submit a feature request here with the relevant details and business case. Please note that feedback on this KB is not monitored for feature requests.

Managing HTML Content Allowlists

A base set of HTML content is allowed in formatted text in the system. TeamDynamix administrators can manage which additional HTML content is allowed in TDAdmin, by following these steps:

  1. Navigate to TDAdmin > Organization Settings > HTML Content Allowlist > [specific allowlist]. The following Allowlists are supported:
    • HTML Elements
    • HTML Attributes
    • CSS Properties
    • Iframe Sources
    • Script Sources
  2. Click Add Entry to add a row to the list of allowed items.
  3. Enter the allowlist entry in the Entry field.
  4. Save.

Individual allowlist entries can be disabled by unchecking them and can be deleted if they are no longer required. All custom allowlist entries can be toggled using the Enable All and Disable All buttons on the toolbar.

Administrators can also view the default allowlist by clicking Show Default Entries.

HTML Elements

The following HTML elements (i.e., between < and >) are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.

  • a
  • abbr
  • acronym
  • address
  • area
  • article
  • aside
  • b
  • big
  • blockquote
  • br
  • button
  • caption
  • center
  • cite
  • code
  • col
  • colgroup
  • dd
  • del
  • dfn
  • dir
  • div
  • dl
  • dt
  • em
  • fieldset
  • figcaption
  • figure
  • font
  • footer
  • h1
  • h2
  • h3
  • h4
  • h5
  • h6
  • header
  • hr
  • i
  • img
  • input
  • ins
  • kbd
  • label
  • legend
  • li
  • map
  • mark
  • nav
  • ol
  • optgroup
  • option
  • p
  • pre
  • q
  • s
  • samp
  • section
  • select
  • small
  • span
  • strike
  • strong
  • sub
  • sup
  • table
  • tbody
  • td
  • textarea
  • tfoot
  • th
  • thead
  • tr
  • tt
  • u
  • ul
  • var
  • wbr

Permanently-Disallowed HTML Elements

The following HTML elements cannot be added to allowlists:

  • applet
  • base
  • body
  • embed
  • form
  • frame
  • frameset
  • head
  • html
  • link**
  • math
  • meta
  • noscript
  • object
  • param
  • plaintext
  • portal
  • script*
  • shadow
  • slot
  • style**
  • svg
  • template
  • title
  • Custom Elements

* Inline (JavaScript) <script> elements (not referencing an allowed external source file) are disallowed. See the Script Sources section for more information about how to allow external JavaScript files by source URLs. The following usage is disallowed:
<script type="text/javascript"> doCodeHere; </script>

** External and inline (CSS) <link> or <style> elements are disallowed. Neither of the following usages are allowed:
<link href="urlToMyStylesheet.css" rel="stylesheet" type="text/css" />
<style type="text/css"> .my-style { color: red; } </style>

HTML Attributes

The following HTML attributes are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.

  • abbr
  • accept
  • accept-charset
  • accesskey
  • align
  • allowfullscreen
  • alt
  • aria-describedby
  • aria-expanded
  • aria-haspopup
  • aria-label
  • aria-labeledby
  • axis
  • bgcolor
  • border
  • cellpadding
  • cellspacing
  • char
  • charoff
  • charset
  • checked
  • cite
  • class
  • clear
  • color
  • cols
  • colspan
  • compact
  • coords
  • data-interval
  • data-ride
  • data-slide
  • data-slide-to
  • data-target
  • data-toggle
  • datetime
  • dir
  • disabled
  • enctype
  • for
  • frame
  • frameborder
  • headers
  • height
  • href
  • hreflang
  • hspace
  • ismap
  • label
  • lang
  • longdesc
  • marginheight
  • marginwidth
  • maxlength
  • media
  • mozallowfullscreen
  • multiple
  • name
  • nohref
  • noshade
  • nowrap
  • placeholder
  • prompt
  • readonly
  • rel
  • rev
  • role
  • rows
  • rowspan
  • rules
  • sandbox
  • scope
  • scrolling
  • seamless
  • selected
  • selected
  • shape
  • size
  • span
  • src
  • start
  • style
  • summary
  • tabindex
  • target
  • title
  • type
  • usemap
  • valign
  • value
  • vspace
  • webkitallowfullscreen
  • width

Permanently-Disallowed HTML Attributes

The following HTML attributes cannot be added to allowlists:

  • id
  • is
  • autofocus
  • formaction
  • formmethod
  • crossorigin
  • data-title
  • data-content
  • data-html
  • on* (JavaScript event handlers)

CSS Properties

The following CSS properties are allowed automatically in formatted HTML content. Anything outside of these lists will not display unless an administrator has added it to the organization’s allowlist.

  • background
  • background-attachment
  • background-clip
  • background-color
  • background-image
  • background-origin
  • background-position
  • background-repeat
  • background-size
  • border
  • border-bottom
  • border-bottom-color
  • border-bottom-style
  • border-bottom-width
  • border-collapse
  • border-color
  • border-left
  • border-left-color
  • border-left-style
  • border-left-width
  • border-radius
  • border-right
  • border-right-color
  • border-right-style
  • border-right-width
  • border-spacing
  • border-style
  • border-top
  • border-top-color
  • border-top-style
  • border-top-width
  • border-width
  • box-shadow
  • caption-side
  • clear
  • clip
  • color
  • columns
  • content
  • counter-increment
  • counter-reset
  • cursor
  • direction
  • display
  • empty-cells
  • float
  • font
  • font-family
  • font-size
  • font-stretch
  • font-style
  • font-variant
  • font-weight
  • height
  • letter-spacing
  • line-break
  • line-height
  • list-style
  • list-style-image
  • list-style-position
  • list-style-type
  • margin
  • margin-bottom
  • margin-left
  • margin-right
  • margin-top
  • max-height
  • max-width
  • min-height
  • min-width
  • -moz-columns
  • opacity
  • orphans
  • outline
  • outline-color
  • outline-style
  • outline-width
  • overflow
  • overflow-wrap
  • overflow-x
  • overflow-y
  • padding
  • padding-bottom
  • padding-left
  • padding-right
  • padding-top
  • page-break-after
  • page-break-before
  • page-break-inside
  • quotes
  • table-layout
  • text-align
  • text-align-last
  • text-decoration
  • text-indent
  • text-orientation
  • text-overflow
  • text-shadow
  • text-transform
  • unicode-bidi
  • vertical-align
  • visibility
  • -webkit-columns
  • white-space
  • widows
  • width
  • word-break
  • word-spacing
  • word-wrap
  • writing-mode

Permanently-Disallowed CSS Properties

The following CSS properties cannot be added to allowlists:

  • bottom
  • contain
  • filter
  • isolation
  • left
  • position
  • right
  • top
  • transform
  • transform-origin
  • transform-style
  • transition
  • transition-delay
  • transition-duration
  • transition-property
  • transition-timing-function
  • translate
  • z-index

Iframe Sources

HTML iframes are allowed in TeamDynamix, but the source (src) attribute must be in the Iframe Sources allowlist. The following entries are added by default:

  • http(s)://archive.org/embed/
  • http(s)://bing.com/maps/embed/
  • http(s)://dailymotion.com/embed/video/
  • http(s)://google.com/maps/embed?
  • http(s)://mapquest.com/embed?
  • http(s)://player.vimeo.com/video/
  • http(s)://web.microsoftstream.com/embed/video/
  • http(s)://youtube.com/embed/
  • http(s)://youtube-nocookie.com/embed/

When adding any additional iframe sources, you should be as specific as possible to limit the risk if the allowed site is compromised. You should select an appropriate path and query prefix that incorporates any organization-specific information.

For example, Kaltura embed URLs have a "partner ID" in them, and so a sample entry might look like:

https://cdnapisec.kaltura.com/p/<partnerID>/embedPlaykitJs/uiconf_id/

Similarly, Panopto embed URLs rely on a combination of organizational subdomain and video ID, and so sample entries might look like:

https://<org>.hosted.panopto.com/Panopto/Pages/Embed.aspx?id=
https://<org>.hosted.panopto.com/Panopto/Pages/Viewer.aspx?id=

Script Sources

HTML script elements are allowed in TeamDynamix, but the source (src) attribute must be in the Script Sources allowlist. The following entries are added by default:

  • http://ai.ocelotbot.com/embed/standard/
  • http://bot.ivy.ai/bot/script/category/
  • http://prod.chatbot.aisera.cloud/
  • http://staging.chatbot.aisera.cloud/

When adding any additional script sources, you should be as specific as possible to limit the risk if the allowed site is compromised. You should select an appropriate path and query prefix that incorporates any organization-specific information.

Other Restrictions on HTML Content

In addition to the restrictions on HTML content that can be managed with allowlists, there are some additional restrictions that are not configurable by administrators.

Allowed Data URI MIME Types

The list of allowed MIME types that can be used in HTML elements with source (src) attributes, like images. See the following code sample for reference. The red and bolded portion is the MIME type being checked.

<img alt="Embedded Image" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA..." />

The following MIME types are allowed:

  • image/jpeg
  • image/pjpeg
  • image/gif
  • image/png
  • image/tiff
  • image/bmp
  • image/svg+xml 

Allowed URI Schemes

The following is a list of allowed URI schemes that can be used for HTML attribute values, typically for things like src or href attributes:

  • http
  • https
  • ftp
  • sftp
  • ftps
  • news
  • mailto
  • tel

Allowed URI Attributes

The following is a list of allowed HTML attributes which can contain URIs. This should not be confused with plain text inside of HTML tags, like the body of a p or div tag. Those can contain any sort of plain text value desired. This is specifically for HTML attributes of an HTML element itself:

  • src
  • href
  • background
100% helpful - 3 reviews

Details

Article ID: 48230
Created
Fri 2/9/18 5:35 PM
Modified
Wed 2/7/24 9:51 AM

Related Articles (3)

Article and Service Templates
This article will help TeamDynamix Administrators and Client Portal Application Administrators to create Service Catalog and Knowledge Base article templates.
Attachments in TeamDynamix
This document outlines the usage of attachments in TeamDynamix.