-
-
Notifications
You must be signed in to change notification settings - Fork 701
Default TAGs ATTRIBUTEs allow list & blocklist
(Note: the following information refer to the version 1.0.8 of the library)
DOMPurify default behavior will permit an allow-list of tags and attributes inside the input.
- check the lists in src/tags.js and src/attrs.js
- what's not in the allow-list is implicitly removed
If desired, tag or attribute can be explicitly blocklisted specifying FORBID_TAGS
/FORBIT_ATTR
in the sanitizing config. By default they are empty, hence not considered.
The following are the lists of defaults that will not be allowed by DOMPurify sanitizing:
(compare HTML5 tutorials - All HTML5 Tags with TAGS)
applet
base
basefont
command
embed
frame
frameset
iframe
keygen
link
meta
noframes
noscript
object
param
script
title
- [this list may be incomplete]
(compare MDN HTML attribute reference with ATTRS)
accept-charset
accesskey
allow
async
autocapitalize
autofocus
autoplay
buffered
challenge
charset
code
codebase
content
contenteditable
contextmenu
codebase
content
contenteditable
contextmenu
controls
data
decoding
defer
dirname
draggable
dropzone
form
formaction
http-equiv
icon
importance
itemprop
keytype
kind
language
lazyload
manifest
minlength
muted
ping
sandbox
scoped
slot
spellcheck
srcdoc
srclang
start
target
translate
wrap
- [this list may be incomplete]
Note: attributes are blocklisted regardless of their value.
Note: data-*
/aria-*
attributes are allowed by default and controlled by specifying ALLOW_DATA_ATTR
/ALLOW_ARIA_ATTR
- [TBA]
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
Note: attributes are blocklisted regardless of their value.