Sanitize HTML in the Description Fields of the Impact Workspace Module

Yokohama Platform security

Release

yokohama

ft:locale

en-US

ft:publication_title

Yokohama Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Sanitize HTML in the Description Fields of the Impact Workspace Module

Release version: Yokohama

Updated June 9, 2025

1 minute to read

Sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks with the sn_impact_common.blacklist_tags_HTML_injection property.

The Impact Workspace module allows HTML in the following description fields:

The customer_notes field of the sn_impact_common_capabilities_map and sn_impact_common_par_version_phase_app_mapping tables.
The manual_description field of the sn_impact_common_manual_capability_description table.

When this system property contains a comma-separated list of HTML tags (for example, scripts), those tags and their contents are removed from the HTML portions of the listed fields. Removing these tags helps sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks. If this property isn’t set in the System Properties [sys_properties] table, the value defaults to a default list of denied HTML tags. If the property is empty, all HTML tags are allowed.

Use the sn_impact_common.blacklist_tags_HTML_injection provide a comma-separated list of HTML tags which are removed from the description fields for the Impact Workspace module. This removal helps to prevent HTML injection attacks. At minimum, this list should contain the contents of the default list. If the property isn’t set in the System Properties [sys_properties] table, it defaults to the list script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button.

More information


Attribute	Description
Property name	sn_impact_common.blacklist_tags_HTML_injection
Configuration type	System Properties (/sys_properties_list.do)
Category	Validation, sanitization, and encoding
Purpose	Sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks.
Recommended value	At minimum, the default value of `script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button`
Default value	`script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button`
Security risk rating	4.4
Functional impact	If an HTML tag is added to default list, it may limit the required HTML functionality of the description fields. The exact impact is dependent on the customer instance.
Security risk	(Medium)
References	High Security Settings

To learn more about adding or creating a system property, see Add a system property.