Topics

All topics

HTML sanitization

Overview

Sitefinity CMS leverages the out-of-the-box HTML sanitizer to ensure HTML content, for example, scripts or tags, is safe and does not cause security vulnerabilities to your system. The reason is that raw HTML data may come from a variety of sources. The HTML sanitizer avoids cross-site scripting (XSS) attacks while in the meantime allowing users to contribute with HTML markup and content. The HTML sanitizer is configured to work out-of-the-box with built-in widgets to ensure elements from untrusted sources are stripped and are not displayed. The sanitizer identifies elements as untrusted if they are not included in the whitelist. For more information, see Reference: HTML sanitizer whitelist.

NOTE: If you are upgrading from versions older than Sitefinity CMS 10.2 and you want to leverage the HTML sanitizer whitelist capabilities, you need to manually switch on the sanitizer. To do so, navigate to Administration » Settings » Advanced » Security. Make sure the Disable HTML sanitization checkbox is not selected. We recommend that once you switch on the HTML sanitizer, you test your website for potential issues with HTML content and content editing.

Enable HTML sanitizer for custom widgets

You use the HTML sanitizer API for your custom widgets, widget templates, and views, so that untrusted content is filtered out.

Web Forms Sanitizer API

To use the HTML sanitizer in Web Form widgets, you call the following static methods in the Telerik.Sitefinity.Web.UI.ControlUtilities class:

string Sanitize(string), string Sanitize(object)
You use these methods to remove or encode parts of the HTML content in the provided parameter. This content may include dangerous or potentially dangerous elements, for example, <script> tags or unescaped attribute values, so that the HTML content returned is safe to be displayed.
string SanitizeUrl(string)
You use this method when the content rendered is an URL, provided by a user. The method ensures that no dangerous protocols, for example, javascript:, or unescaped query string parameter values are passed. The method is executed in the context of Sanitize(string) method for the values of the attributes that contain URL values.

Feather Sanitizer API

When working with Feather, you need to use the following helper methods in the Telerik.Sitefinity.Frontend.Mvc.Helpers namespace:

@Html.HtmlSanitize(ModelUserProvidedHtml)
@Html.HtmlSanitizeUrl(Model.UserProvidedUrl)

Modify the HTML sanitizer configuration

In case your website scenario requires you to change the list with whitelisted elements, you can modify the default configuration of the HTML sanitizer. To do this, you create a new HTML sanitizer that extends the out-of-the-box capabilities of the default sanitizer and adds more elements to the whitelist. The following sample demonstrates how to add a custom_attribute to the HTML sanitizer whitelist:

HTML sanitizer whitelist

Default tags allowed	Default schemes allowed	Default attributes allowed	Default Uri attributes	Default CSS properties allowed
`a` `abbr` `acronym` `address` `area` `b` `big` `blockquote` `br` `button` `caption` `center` `cite` `code` `col` `colgroup` `dd` `del` `dfn` `dir` `div` `dl` `dt` `em` `fieldset` `font` `form` `h1` `h2` `h3` `h4` `h5` `h6` `hr` `i` `img` `input` `ins` `kbd` `label` `legend` `li` `map` `menu` `ol` `optgroup` `option` `p` `pre` `q` `s` `samp` `select` `small` `span` `strike` `strong` `sub` `sup` `table` `tbody` `td` `textarea` `tfoot` `th` `thead` `tr` `tt` `u` `ul` `var` `section` `nav` `article` `aside` `header` `footer` `main` `figure` `figcaption` `data` `time` `mark` `ruby` `rt` `rp` `bdi` `wbr` `datalist` `keygen` `output` `progress` `meter` `details` `summary` `menuitem` `html` `head` `body`	`http` `https`	`abbr` `accept` `accept-charset` `accesskey` `action` `align` `alt` `axis` `bgcolor` `border` `cellpadding` `cellspacing` `char` `charoff` `charset` `checked` `cite` `clear` `cols` `colspan` `color` `compact` `coords` `datetime` `dir` `disabled` `enctype` `for` `frame` `headers` `height` `href` `hreflang` `hspace` `ismap` `label` `lang` `longdesc` `maxlength` `media` `method` `multiple` `name` `nohref` `noshade` `nowrap` `prompt` `readonly` `rel` `rev` `rows` `rowspan` `rules` `scope` `selected` `shape` `size` `span` `src` `start` `style` `summary` `tabindex` `target` `title` `type` `usemap` `valign` `value` `vspace` `width` `high` `keytype` `list` `low` `max` `min` `novalidate` `open` `optimum` `pattern` `placeholder` `pubdate` `radiogroup` `required` `reversed` `spellcheck` `step` `wrap` `challenge` `contenteditable` `draggable` `dropzone` `autocomplete` `autosave`	`action` `background` `dynsrc` `href` `lowsrc` `src`	`background` `background-attachment` `background-color` `background-image` `background-position` `background-repeat` `border` `border-bottom` `border-bottom-color` `border-bottom-style` `border-bottom-width` `border-collapse` `border-color` `border-left` `border-left-color` `border-left-style` `border-left-width` `border-right` `border-right-color` `border-right-style` `border-right-width` `border-spacing` `border-style` `border-top` `border-top-color` `border-top-style` `border-top-width` `border-width` `bottom` `caption-side` `clear` `clip` `color` `content` `counter-increment` `counter-reset` `cursor` `direction` `display` `empty-cells` `float` `font` `font-family` `font-size` `font-style` `font-variant` `font-weight` `height` `left` `letter-spacing` `line-height` `list-style` `list-style-image` `list-style-position` `list-style-type` `margin` `margin-bottom` `margin-left` `margin-right` `margin-top` `max-height` `max-width` `min-height` `min-width` `opacity` `orphans` `outline` `outline-color` `outline-style` `outline-width` `overflow` `padding` `padding-bottom` `padding-left` `padding-right` `padding-top` `page-break-after` `page-break-before` `page-break-inside` `quotes` `right` `table-layout` `text-align` `text-decoration` `text-indent` `text-transform` `top` `unicode-bidi` `vertical-align` `visibility` `white-space` `widows` `width` `word-spacing` `z-index`

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?

Yes No

Would you like to submit additional feedback?

Your feedback about this content is important

How helpful is this article?

Very helpful Somewhat helpful Not helpful

How can we improve this article?(Optional)

Fix typos or links

Fix incorrect information

Add or update code samples

Add or update illustrations

Add information about...

Send feedback Cancel

Global data processing