Rich Text Formatting limitations
Starting with iTop 2.3.0, some fields (for example the case log
entries and the
description of Tickets) support rich
This formatting is implemented using HTML markup. This is convenient for displaying in the browser, on-line WYSIWYG editing and importing from HTML emails. However inserting any kind of HTML markup inside a web-based application is not acceptable since it opens the door to all kind of malicious injections. Therefore the HTML markup always passes through a sanitization process before being recorded into the iTop database. This sanitization is based on a white-list for the HTML tag names, attributes and styles.
Any tag not present in the tags white-list is completely removed (including the sub-tags)
Any attribute not present in the attributes white-list ( for the considered tag) is removed
Any style not within the styles white-list is removed
Last but not least, the only URL schemes accepted (in
styleand the attributes
classare completely banned, since they may interfere with the behavior of the application. HTML formatting is only supported via the semantic of the tags (
strong, etc) and inline CSS styles (via the
styleattribute on some tags). Note that at the time of the writing this rule is consistent with web based email clients like gmail.
Tags and attributes white-list
The following tags are preserved when sanitizing the HTML to be stored in iTop. For each tag, the table below lists the attributes which are allowed.
|HTML Tag||Allowed attributes|
The following styles are the only items allowed inside
style attribute (for the tags for which
style is allowed):
backgroundCSS style property, but preserved if specified via the more specific
Disabling the Sanitizer
HTMLNullSanitizer: no sanitizing at all.
'html_sanitizer' => 'HTMLNullSanitizer',