Rich Text Formatting limitations

Starting with iTop 2.3.0, some fields (for example the case log entries and the description of Tickets) support rich text formatting.

This formatting is implemented using HTML markup. This is convenient for displaying in the browser, on-line WYSIWYG editing and importing from HTML emails. However inserting any kind of HTML markup inside a web-based application is not acceptable since it opens the door to all kind of malicious injections. Therefore the HTML markup always passes through a sanitization process before being recorded into the iTop database. This sanitization is based on a white-list for the HTML tag names, attributes and styles.

  1. Any tag not present in the tags white-list is completely removed (including the sub-tags)
  2. Any attribute not present in the attributes white-list ( for the considered tag) is removed
  3. Any style not within the styles white-list is removed
  4. Last but not least, the only URL schemes accepted (in href and src attributes) are http:, https:, mailto: and data:.
The tag style and the attributes id and class are completely banned, since they may interfere with the behavior of the application. HTML formatting is only supported via the semantic of the tags (i, strong, etc) and inline CSS styles (via the style attribute on some tags). Note that at the time of the writing this rule is consistent with web based email clients like gmail.
These sanitization rules apply to any HTML stored in iTop, so they apply to the rich text entered via a copy/paste or imported from an email when using the “Ticket creation from eMails” extension.

Tags and attributes white-list

The following tags are preserved when sanitizing the HTML to be stored in iTop. For each tag, the table below lists the attributes which are allowed.

HTML Tag Allowed attributes
a href, name, style, target, title
b None.
big None.
blockquote style
body None.
br None.
caption None.
center None.
cite None.
code None.
code style
del None.
div style
em None.
fieldset style
font face, color, style, size
h1 style
h2 style
h3 style
h4 style
hr style
html None.
i None.
img src,style, alt, title
ins None.
kbd None.
legend style
li style, value
nav style
ol reversed, start, style, type
p style
pre None.
q None.
s None.
samp None.
section style
small None.
span style
strong None.
table style, width, summary, align, border, cellpadding, cellspacing
tbody style
td style, colspan
th style
thead style
tr style
tt None.
u None.
ul style
var None.

Styles white-list

The following styles are the only items allowed inside a style attribute (for the tags for which style is allowed):

background-color, border, border-collapse, bordercolor, cellpadding, cellspacing, color, float, font, font-family, font-size, font-style, height, margin, padding, text-align, vertical-align, width, white-space

The background color of a text (or an area) will be lost if it is specified via the forbidden background CSS style property, but preserved if specified via the more specific background-color CSS property.

Disabling the Sanitizer

Also not recommended, a Configuration Parameter can disable the HTML Sanitizer:
  • HTMLDOMSanitizer: default,
  • HTMLPurifierSanitizer: ???
  • HTMLNullSanitizer: no sanitizing at all.
'html_sanitizer' => 'HTMLNullSanitizer',
Removing the sanitizer expose your iTop to security risks
latest/admin/rich_text_limitations.txt · Last modified: 2023/07/21 10:19 (external edit)
Back to top
Contact us