Sanitizing of HTML markup

To better handle HTML markup in fields where it is allowed, Registry 4.3.3 makes use of the html-sanitizer library (version 1.5). This library rewrites the HTML DOM output and strips any tag or attribute not explicitly allowed. Fields impacted by this update are

  • Announcement header and footer fields
  • Dashboard header and footer fields
  • Terms and Conditions

These fields are now stripped of <script> tags and most HTML attributes on output. This may cause deployments that have made customizations to markup in these fields to experience webpages that render differently than they did in previous versions of Registry.

For more information about supported tags, see https://github.com/tgalopin/html-sanitizer/blob/master/docs/3-configuration-reference.md.

The impacted Registry fields support tags found in the ['basic', 'code', 'image', 'list', 'table', 'details', 'extra'] extensions. The Dashboards header and footer also allow <style> tags with custom CSS.

Themes, which allow for full control over the interface, are unaffected by this change and will accept <script> tags and other custom markup.

  • No labels

1 Comment

  1. Arlen Johnson (google.com)

    Note: the ability to add "class" attributes to <div> and <p> tags has been added to HTML sanitized markup in version 4.3.4. This will allow greater control over the sanitized markup via a theme or when using <style> tags in dashboards.