HTML Sanitizer src Attribute

DylanBlumenberg · ‎09-15-2025

Hi all, I'm attempting to add to the HTML Sanitizer Config whitelist so it only allows iframe URLs from "https://scribehow.com/embed/". I have the HTML Sanitizer Config set to the following but it's not blocking other URLs? What am I doing wrong?

var HTMLSanitizerConfig = Class.create();
HTMLSanitizerConfig.prototype = {
	initialize: function() {
	},
	
	HTML_WHITELIST : {
		globalAttributes: {
			attribute:[],
			attributeValuePattern:{}
		},
		iframe:{ 
			attribute:["width", "height","src","frameborder","allow","allowfullscreen"], attributeValuePattern: {src: /^https:\/\/scribehow\.com\/embed\//}
			}
			},
	
	HTML_BLACKLIST : {
		globalAttributes: {},
	},
	
	getWhiteList : function() {
		return this.HTML_WHITELIST;
	},
	
	getBlackList : function() {
		return this.HTML_BLACKLIST;
	},
	
	type: 'HTMLSanitizerConfig'
};

DylanBlumenberg · ‎09-29-2025

I reached out to ServiceNow Support and they provided me with a src attribute that worked. The whitelist that worked for me is below.

HTML_WHITELIST : {
globalAttributes: {
attribute: [],
attributeValuePattern: {}
},
iframe: {
attribute: ["width", "height", "src", "frameborder", "allow", "allowfullscreen"],
attributeValuePattern: {
// allow only scribehow.com/embed with optional path/query
src: "^https://scribehow.com/embed/.*$"
}
}
}

View solution in original post

DylanBlumenberg · ‎09-29-2025

I reached out to ServiceNow Support and they provided me with a src attribute that worked. The whitelist that worked for me is below.

HTML_WHITELIST : {
globalAttributes: {
attribute: [],
attributeValuePattern: {}
},
iframe: {
attribute: ["width", "height", "src", "frameborder", "allow", "allowfullscreen"],
attributeValuePattern: {
// allow only scribehow.com/embed with optional path/query
src: "^https://scribehow.com/embed/.*$"
}
}
}