Sanitize HTML Configuration Options

ID:    S141316
Published:    02 October 2015
Updated:    02 October 2015


  • SBM


SBM 11.0 contains a new security feature that "sanitizes" HTML stored in the database for Memo fields, Journal fields, and notes, which prevents cross-site scripting (XSS) attacks, JavaScript injections, and rendering of poorly-formatted HTML from occurring. When this setting is enabled, SBM automatically compares the raw HTML in the database to the list of approved HTML tags and attributes that you configure to ensure the HTML is considered "safe" before it is rendered on the form.  This setting is enabled on the Base Project in Application Administrator by default for all new installations and upgrades to SBM 11.0.


The default configuration that is supplied with SBM is provided below in JSON format:


    "allowedTags": [
        "a", "label", "noscript",
        "h1", "h2", "h3", "h4", "h5", "h6",
        "p", "i", "b", "u", "strong", "em", "small",
        "big", "pre", "code", "cite", "samp",
        "sub", "sup", "strike", "center", "blockquote",
        "hr", "br", "col", "font", "map",
        "span", "div", "img", "ul", "ol", "li", "dd", "dt", "dl",
        "tbody", "thead", "tfoot", "table", "td", "th", "tr",
        "colgroup", "fieldset", "legend"
    "allowedAttributesGlobal": [
        "id", "class", "lang", "title", "style"
    "allowedAttributesByTag": {
        "p": [ "align" ],
        "label": [ "for" ],
        "font": [ "color", "face", "size" ],
        "a": [ "href", "nohref", "name", "target" ],
        "img": [ "src", "name", "alt", "border", "hspace", "vspace", "height", "width", "align" ],
        "table": [ "border", "cellpadding", "cellspacing", "bgcolor", "background", "align", "noresize", "height", "width" ],
        "td": [ "background", "bgcolor", "abbr", "axis", "headers", "scope", "nowrap", "colspan", "rowspan", "height", "width", "align", "valign", "charoff", "char" ],
        "th": [ "background", "bgcolor", "abbr", "axis", "headers", "scope", "nowrap", "colspan", "rowspan", "height", "width", "align", "valign", "charoff", "char" ],
        "tr": [ "background", "height", "width", "align", "valign", "charoff", "char" ],
        "thead": [ "align", "valign", "charoff", "char" ],
        "tbody": [ "align", "valign", "charoff", "char" ],
        "tfoot": [ "align", "valign", "charoff", "char" ],
        "colgroup": [ "align", "valign", "charoff", "char", "span", "width" ],
        "col": [ "align", "valign", "charoff", "char", "span", "width" ]
    "restrictedStyles": [
        "position", "float", "z-index"
    "needToValidateStyles": "true"


The default configuration is organized as follows:

  • Allowed tags
  • Attributes that are allowed in all tags
  • Attributes that are allowed for certain tags
  • Restricted styles
  • Flag to restrict styles or not


You can add or remove entries under each required JSON field as necessary; however, be aware that removing tags or attributes could affect the security of your system and should only be performed with caution.


It's also possible to add non-HTML tags and attributes to the configuration depending on your business needs.  For example, assume you have a Web service call in an orchestration that adds metadata that looks like HTML to a rich-text-enabled field in SBM like so:
<EXTERNAL_PROGRAM_LINK mode=”native”>item_data_to_open</EXTERNAL_PROGRAM_LINK> 

When rendered, these tags display a link that can be opened by 3rd party software.  To allow these tags to work, you must either disable the sanitize HTML feature, or update the default configuration as follows:
1. Add tag “EXTERNAL_PROGRAM_LINK” to the “allowedTags” list.
2. Add attribute “mode” to the “allowedAttributesByTag” list.

Serena recommends that you review the list of allowed tags and attributes to ensure that any custom tags that you have implemented are allowed by the sanitizer. 

Applies To

SBM 11.0

Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs