HTML sanitization

Overview

Sitefinity CMS leverages the out-of-the-box HTML sanitizer to ensure HTML content, for example, scripts or tags, is safe and does not cause security vulnerabilities to your system. The reason is that raw HTML data may come from a variety of sources. The HTML sanitizer avoids cross-site scripting (XSS) attacks while in the meantime allowing users to contribute with HTML markup and content. The HTML sanitizer is configured to work out-of-the-box with built-in widgets to ensure elements from untrusted sources are stripped and are not displayed. The sanitizer identifies elements as untrusted if they are not included in the whitelist. For more information, see Reference: HTML sanitizer whitelist.

NOTE: If you are upgrading from versions older than Sitefinity CMS 10.2 and you want to leverage the HTML sanitizer whitelist capabilities, you need to manually switch on the sanitizer. To do so, navigate to Administration » Settings » Advanced » Security. Make sure the Disable HTML sanitization checkbox is not selected. We recommend that once you switch on the HTML sanitizer, you test your website for potential issues with HTML content and content editing.

Enable HTML sanitizer for custom widgets

You use the HTML sanitizer API for your custom widgets, widget templates, and views, so that untrusted content is filtered out.

Web Forms Sanitizer API

To use the HTML sanitizer in Web Form widgets, you call the following static methods in the Telerik.Sitefinity.Web.UI.ControlUtilities class:
  • string Sanitize(string), string Sanitize(object)
    You use these methods to remove or encode parts of the HTML content in the provided parameter. This content may include dangerous or potentially dangerous elements, for example, <script> tags or unescaped attribute values, so that the HTML content returned is safe to be displayed.
  • string SanitizeUrl(string)
    You use this method when the content rendered is an URL, provided by a user. The method ensures that no dangerous protocols, for example, javascript:, or unescaped query string parameter values are passed. The method is executed in the context of Sanitize(string) method for the values of the attributes that contain URL values.

Feather Sanitizer API

When working with Feather, you need to use the following helper methods in the Telerik.Sitefinity.Frontend.Mvc.Helpers namespace:

  • @Html.HtmlSanitize(ModelUserProvidedHtml)
  • @Html.HtmlSanitizeUrl(Model.UserProvidedUrl)

Modify the HTML sanitizer configuration

In case your website scenario requires you to change the list with whitelisted elements, you can modify the default configuration of the HTML sanitizer. To do this, you create a new HTML sanitizer that extends the out-of-the-box capabilities of the default sanitizer and adds more elements to the whitelist. The following sample demonstrates how to add a custom_attribute to the HTML sanitizer whitelist:

HTML sanitizer whitelist

Default tags allowed Default schemes allowed Default attributes allowed Default Uri attributes Default CSS properties allowed
a
abbr
acronym
address
area
b
big
blockquote
br
button
caption
center
cite
code
col
colgroup
dd
del
dfn
dir
div
dl
dt
em
fieldset
font
form
h1
h2
h3
h4
h5
h6
hr
i
img
input
ins
kbd
label
legend
li
map
menu
ol
optgroup
option
p
pre
q
s
samp
select
small
span
strike
strong
sub
sup
table
tbody
td
textarea
tfoot
th
thead
tr
tt
u
ul
var
section
nav
article
aside
header
footer
main
figure
figcaption
data
time
mark
ruby
rt
rp
bdi
wbr
datalist
keygen
output
progress
meter
details
summary
menuitem
html
head
body
http
https
abbr
accept
accept-charset
accesskey
action
align
alt
axis
bgcolor
border
cellpadding
cellspacing
char
charoff
charset
checked
cite
clear
cols
colspan
color
compact
coords
datetime
dir
disabled
enctype
for
frame
headers
height
href
hreflang
hspace
ismap
label
lang
longdesc
maxlength
media
method
multiple
name
nohref
noshade
nowrap
prompt
readonly
rel
rev
rows
rowspan
rules
scope
selected
shape
size
span
src
start
style
summary
tabindex
target
title
type
usemap
valign
value
vspace
width
high
keytype
list
low
max
min
novalidate
open
optimum
pattern
placeholder
pubdate
radiogroup
required
reversed
spellcheck
step
wrap
challenge
contenteditable
draggable
dropzone
autocomplete
autosave
action
background
dynsrc
href
lowsrc
src
background
background-attachment
background-color
background-image
background-position
background-repeat
border
border-bottom
border-bottom-color
border-bottom-style
border-bottom-width
border-collapse
border-color
border-left
border-left-color
border-left-style
border-left-width
border-right
border-right-color
border-right-style
border-right-width
border-spacing
border-style
border-top
border-top-color
border-top-style
border-top-width
border-width
bottom
caption-side
clear
clip
color
content
counter-increment
counter-reset
cursor
direction
display
empty-cells
float
font
font-family
font-size
font-style
font-variant
font-weight
height
left
letter-spacing
line-height
list-style
list-style-image
list-style-position
list-style-type
margin
margin-bottom
margin-left
margin-right
margin-top
max-height
max-width
min-height
min-width
opacity
orphans
outline
outline-color
outline-style
outline-width
overflow
padding
padding-bottom
padding-left
padding-right
padding-top
page-break-after
page-break-before
page-break-inside
quotes
right
table-layout
text-align
text-decoration
text-indent
text-transform
top
unicode-bidi
vertical-align
visibility
white-space
widows
width
word-spacing
z-index

Was this article helpful?

Next article

Global data processing