The CreatorCon Call for Content is officially open! Get started here.

HTML Sanitizer src Attribute

Go to solution
DylanBlumenberg
Tera Expert

3 weeks ago

Hi all, I'm attempting to add to the HTML Sanitizer Config whitelist so it only allows iframe URLs from "https://scribehow.com/embed/". I have the HTML Sanitizer Config set to the following but it's not blocking other URLs? What am I doing wrong?

var HTMLSanitizerConfig = Class.create();
HTMLSanitizerConfig.prototype = {
	initialize: function() {
	},
	
	HTML_WHITELIST : {
		globalAttributes: {
			attribute:[],
			attributeValuePattern:{}
		},
		iframe:{ 
			attribute:["width", "height","src","frameborder","allow","allowfullscreen"], attributeValuePattern: {src: /^https:\/\/scribehow\.com\/embed\//}
			}
			},
	
	HTML_BLACKLIST : {
		globalAttributes: {},
	},
	
	getWhiteList : function() {
		return this.HTML_WHITELIST;
	},
	
	getBlackList : function() {
		return this.HTML_BLACKLIST;
	},
	
	type: 'HTMLSanitizerConfig'
};

 

0 Helpfuls
  • 540 Views
1 ACCEPTED SOLUTION

Go to solution
DylanBlumenberg
Tera Expert
In response to Ravi Gaurav

Monday

I reached out to ServiceNow Support and they provided me with a src attribute that worked. The whitelist that worked for me is below.

HTML_WHITELIST : {
globalAttributes: {
attribute: [],
attributeValuePattern: {}
},
iframe: {
attribute: ["width", "height", "src", "frameborder", "allow", "allowfullscreen"],
attributeValuePattern: {
// allow only scribehow.com/embed with optional path/query
src: "^https://scribehow.com/embed/.*$"
}
}
}

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Ravi Gaurav
Giga Sage
Giga Sage

3 weeks ago

Hi @DylanBlumenberg 
Try this in your HTMLSanitizerConfig Script Include:
Clear the cache also after the code and check

var HTMLSanitizerConfig = Class.create();
HTMLSanitizerConfig.prototype = {
initialize: function() {},

HTML_WHITELIST : {
globalAttributes: {
attribute: [],
attributeValuePattern: {}
},
iframe: {
attribute: ["width", "height", "src", "frameborder", "allow", "allowfullscreen"],
attributeValuePattern: {
// allow ONLY scribehow.com/embed with optional query params
src: /^https:\/\/scribehow\.com\/embed\/.*$/i
}
}
},

HTML_BLACKLIST : {
globalAttributes: {}
},

getWhiteList : function() {
return this.HTML_WHITELIST;
},

getBlackList : function() {
return this.HTML_BLACKLIST;
},

type: 'HTMLSanitizerConfig'
};

--------------------------------------------------------------------------------------------------------------------------


If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!

Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI

ï”— YouTube: https://www.youtube.com/@learnservicenowwithravi
ï”— LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
0 Helpfuls

Go to solution
DylanBlumenberg
Tera Expert
In response to Ravi Gaurav

3 weeks ago

Hi Ravi, thank you for the reply. I added that code and cleared the cache with cache.do but I'm still running into the issue with it not sanitizing other URLs. I created a test article with an embedded Youtube video and after saving the article, the iframe still exists. Below is the article HMTL code for reference. 

<p>Test this:</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><iframe title="YouTube video player" src="https://www.youtube.com/embed/RrrjNGpbrqA?si=zdUy6BeQTVeeNT4f" width="560" height="315" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="allowfullscreen"></iframe></p>
0 Helpfuls

Go to solution
Ravi Gaurav
Giga Sage
Giga Sage
In response to DylanBlumenberg

3 weeks ago

Hi @DylanBlumenberg 

Check this now..

var HTMLSanitizerConfig = Class.create();
HTMLSanitizerConfig.prototype = {
initialize: function() {},

HTML_WHITELIST : {
globalAttributes: {
attribute: [],
attributeValuePattern: {}
},
iframe: {
attribute: ["width", "height", "src", "frameborder", "allow", "allowfullscreen"],
attributeValuePattern: {
// allow only scribehow.com/embed with optional path/query
src: /^https:\/\/scribehow\.com\/embed\/.*$/i
}
}
},

HTML_BLACKLIST : {
globalAttributes: {}
},

getWhiteList: function() {
return this.HTML_WHITELIST;
},

getBlackList: function() {
return this.HTML_BLACKLIST;
},

type: 'HTMLSanitizerConfig'
};

--------------------------------------------------------------------------------------------------------------------------


If you found my response helpful, I would greatly appreciate it if you could mark it as "Accepted Solution" and "Helpful."
Your support not only benefits the community but also encourages me to continue assisting. Thank you so much!

Thanks and Regards
Ravi Gaurav | ServiceNow MVP 2025,2024 | ServiceNow Practice Lead | Solution Architect
CGI
M.Tech in Data Science & AI

ï”— YouTube: https://www.youtube.com/@learnservicenowwithravi
ï”— LinkedIn: https://www.linkedin.com/in/ravi-gaurav-a67542aa/
0 Helpfuls

Go to solution
DylanBlumenberg
Tera Expert
In response to Ravi Gaurav

3 weeks ago

Sorry to say there was no change with that update. I also cleared the cache again. 

0 Helpfuls