Sanitization rules

2007-08-07T19:32:40Z

Jabley: /* URI protocols */ Added wtai and tel protocols, on the presumption that phones will be capable of viewing html5

This page was initially seeded with the sanitization lists and rules implemented by the [http://code.google.com/p/html5lib/ html5lib] sanitizer, which in turn was based on [http://golem.ph.utexas.edu/instiki/show/HomePage Jacques Distler's branch of Instiki], which in turn was based on the sanitization logic in the [http://www.feedparser.org/ Universal Feed Parser].

It is hoped that others will add, update, and extend this list based on their experiences in their own products, and furthermore that some will update their products based on these lists.

As a suggestion but not as a requirement: people who do update their products to reflect information from this list are encouraged to add a link to this page as a comment in the hopes that it will encourage subsequent maintainers to keep this page up to date.

=== Acceptable Elements ===

* a
* abbr
* acronym
* address
* area
* b
* big
* blockquote
* br
* button
* caption
* center
* cite
* code
* col
* colgroup
* dd
* del
* dfn
* dir
* div
* dl
* dt
* em
* fieldset
* font
* form
* h1
* h2
* h3
* h4
* h5
* h6
* hr
* i
* img
* input
* ins
* kbd
* label
* legend
* li
* map
* menu
* ol
* optgroup
* option
* p
* pre
* q
* s
* samp
* select
* small
* span
* strike
* strong
* sub
* sup
* table
* tbody
* td
* textarea
* tfoot
* th
* thead
* tr
* tt
* u
* ul
* var

==== mathml Elements ====

* maction
* math
* merror
* mfrac
* mi
* mmultiscripts
* mn
* mo
* mover
* mpadded
* mphantom
* mprescripts
* mroot
* mrow
* mspace
* msqrt
* mstyle
* msub
* msubsup
* msup
* mtable
* mtd
* mtext
* mtr
* munder
* munderover
* none

==== svg Elements ====

* a
* animate
* animateColor
* animateMotion
* animateTransform
* circle
* defs
* desc
* ellipse
* font-face
* font-face-name
* font-face-src
* g
* glyph
* hkern
* image
* linearGradient
* line
* marker
* metadata
* missing-glyph
* mpath
* path
* polygon
* polyline
* radialGradient
* rect
* set
* stop
* svg
* switch
* text
* title
* tspan
* use

=== Acceptable Attributes ===

* abbr
* accept
* accept-charset
* accesskey
* action
* align
* alt
* axis
* border
* cellpadding
* cellspacing
* char
* charoff
* charset
* checked
* cite
* class
* clear
* cols
* colspan
* color
* compact
* coords
* datetime
* dir
* disabled
* enctype
* for
* frame
* headers
* height
* href
* hreflang
* hspace
* id
* ismap
* label
* lang
* longdesc
* maxlength
* media
* method
* multiple
* name
* nohref
* noshade
* nowrap
* prompt
* readonly
* rel
* rev
* rows
* rowspan
* rules
* scope
* selected
* shape
* size
* span
* src
* start
* style
* summary
* tabindex
* target
* title
* type
* usemap
* valign
* value
* vspace
* width
* xml:lang

==== mathml Attributes ====

* actiontype
* align
* columnalign
* columnalign
* columnalign
* columnlines
* columnspacing
* columnspan
* depth
* display
* displaystyle
* equalcolumns
* equalrows
* fence
* fontstyle
* fontweight
* frame
* height
* linethickness
* lspace
* mathbackground
* mathcolor
* mathvariant
* mathvariant
* maxsize
* minsize
* other
* rowalign
* rowalign
* rowalign
* rowlines
* rowspacing
* rowspan
* rspace
* scriptlevel
* selection
* separator
* stretchy
* width
* width
* xlink:href
* xlink:show
* xlink:type
* xmlns
* xmlns:xlink

==== svg Attributes ====

* accent-height
* accumulate
* additive
* alphabetic
* arabic-form
* ascent
* attributeName
* attributeType
* baseProfile
* bbox
* begin
* by
* calcMode
* cap-height
* class
* color
* color-rendering
* content
* cx
* cy
* d
* dx
* dy
* descent
* display
* dur
* end
* fill
* fill-rule
* font-family
* font-size
* font-stretch
* font-style
* font-variant
* font-weight
* from
* fx
* fy
* g1
* g2
* glyph-name
* gradientUnits
* hanging
* height
* horiz-adv-x
* horiz-origin-x
* id
* ideographic
* k
* keyPoints
* keySplines
* keyTimes
* lang
* marker-end
* marker-mid
* marker-start
* markerHeight
* markerUnits
* markerWidth
* mathematical
* max
* min
* name
* offset
* opacity
* orient
* origin
* overline-position
* overline-thickness
* panose-1
* path
* pathLength
* points
* preserveAspectRatio
* r
* refX
* refY
* repeatCount
* repeatDur
* requiredExtensions
* requiredFeatures
* restart
* rotate
* rx
* ry
* slope
* stemh
* stemv
* stop-color
* stop-opacity
* strikethrough-position
* strikethrough-thickness
* stroke
* stroke-dasharray
* stroke-dashoffset
* stroke-linecap
* stroke-linejoin
* stroke-miterlimit
* stroke-opacity
* stroke-width
* systemLanguage
* target
* text-anchor
* to
* transform
* type
* u1
* u2
* underline-position
* underline-thickness
* unicode
* unicode-range
* units-per-em
* values
* version
* viewBox
* visibility
* width
* widths
* x
* x-height
* x1
* x2
* xlink:actuate
* xlink:arcrole
* xlink:href
* xlink:role
* xlink:show
* xlink:title
* xlink:type
* xml:base
* xml:lang
* xml:space
* xmlns
* xmlns:xlink
* y
* y1
* y2
* zoomAndPan

=== CSS Rules ===

First <code>urls</code> matching the following regular expression are removed:
<pre>url\s*$\s*[^\s)]+?\s*$\s*</pre>

The style strings that don't match the following are deemed obfuscated, and ignored entirely:
<pre>^([:,;#%.\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'|"[\s\w]+"|$[\d,\s]+$)*$</pre>
<pre>^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$</pre>

==== style Properties ====

* azimuth
* background-color
* border-bottom-color
* border-collapse
* border-color
* border-left-color
* border-right-color
* border-top-color
* clear
* color
* cursor
* direction
* display
* elevation
* float
* font
* font-family
* font-size
* font-style
* font-variant
* font-weight
* height
* letter-spacing
* line-height
* overflow
* pause
* pause-after
* pause-before
* pitch
* pitch-range
* richness
* speak
* speak-header
* speak-numeral
* speak-punctuation
* speech-rate
* stress
* text-align
* text-decoration
* text-indent
* unicode-bidi
* vertical-align
* voice-family
* volume
* white-space
* width

==== style Property Values ====

* auto
* aqua
* black
* block
* blue
* bold
* both
* bottom
* brown
* center
* collapse
* dashed
* dotted
* fuchsia
* gray
* green
* !important
* italic
* left
* lime
* maroon
* medium
* none
* navy
* normal
* nowrap
* olive
* pointer
* purple
* red
* right
* solid
* silver
* teal
* top
* transparent
* underline
* white
* yellow

==== svg sytle Properties ====

* fill
* fill-opacity
* fill-rule
* stroke
* stroke-width
* stroke-linecap
* stroke-linejoin
* stroke-opacity

=== URIs ===
==== Attributes whose value is a URI ====

* href
* src
* cite
* action
* longdesc
* xlink:href
* xml:base

==== URI protocols ====

* afs
* aim
* callto
* ed2k
* feed
* ftp
* gopher
* http
* https
* irc
* mailto
* news
* nntp
* rsync
* rtsp
* sftp
* ssh
* tag
* tel
* telnet
* urn
* webcal
* wtai
* xmpp

WHATWG Wiki - User contributions [en]

Sanitization rules