The Script Attack Protection setting is a security feature that prevents the storage and execution of specific custom code elements and attributes that are not on the allowlist.
This article contains the following sections:
The list of code elements and attributes mentioned below represents the items that are whitelisted (not blocked) even when the Script Attack Protection setting is enabled.
- The Script Attack Protection setting, accessed in your app's settings security tab, is a security feature that restricts the use of certain custom code elements and attributes.
- The locations where Script Attack Protection is applied can be found in this article.
When enabled, code that is not on our Script Attack Protection Allowlist will be prevented from saving in field values. Other values submitted will be saved as normal.
When this sanitization takes place during form submission, whether in the Live App or Builder, no notification will be provided; the affected values will simply not be saved.
Examples:
-
<script src="google.com">Hello world!</script>
Saves as having no value.
-
Why? The <script></script> tag is code that is not on our allowlist.
-
-
<b onclick="alert('hello')">Hello world!</b>Saves as <b>Hello world!</b>
-
Why? The "onclick" portion is code that is not on our allowlist.
-
-
<b>Hello world!</b>
Saves as <b>Hello world!</b>-
Why? This HTML code is allowed.
-
Allowlist
|
Allowed Tags |
Allowed Attributes |
Allowed Self Closing Tags | Allowed Schemes |
|
h1 |
a: ['style'] |
img |
HTTP |
|
h2 |
a: ['href'] |
be |
https |
|
h3 |
a: ['name'] |
hr |
FTP |
|
h4 |
a: ['target'] |
area |
mailto |
|
h5 |
h1: [`style`] |
base |
href |
|
h6 |
h2: [`style`] |
basefont |
src |
|
blockquote |
h3: [`style`] |
input |
cite |
|
p |
h4: [`style`] |
link |
|
|
del |
h5: [`style`] |
meta |
|
|
a |
h6: [`style`] |
||
|
ul |
blockquote: [`style`] |
||
|
ol |
p: [`style`] |
||
|
nl |
del: [`style`] |
||
|
li |
ul: [`style`] |
||
|
b |
ol: [`style`] |
|
|
|
I |
nl: [`style`] |
|
|
|
strong |
li: [`style`] |
|
|
|
em |
b: [`style`] |
|
|
|
strike |
i: [`style`] |
|
|
|
code |
strong: [`style`] |
|
|
|
hr |
em: [`style`] |
|
|
|
be |
strike: [`style`] |
|
|
|
div |
code: [`style`] |
|
|
|
table |
hr: [`style`] |
|
|
|
thead |
br: [`style`] |
|
|
|
caption |
div: [`style`] |
|
|
|
tbody |
table: [`style`] |
|
|
|
tr |
thead: [`style`] |
|
|
|
the |
th: [`style`] |
|
|
|
td |
td: [`style`] |
|
|
|
pre |
tr: [`style`] |
|
|
|
iframe |
tbody: [`style`] |
|
|
|
img |
caption: [`style`] |
|
|
|
span |
pre: [`style`] |
|
|
|
font |
span: [`style`] |
|
|
|
meter |
href |
|
|
|
button |
align |
|
|
|
progress |
iframe |
|
|
|
path |
center |
|
|
|
small |
img |
|
|
|
var |
iframe: [all attributes] |
|
|
|
sub |
img: [all attributes] |
|
|
|
sup |
id |
|
|
|
u |
class |
|
|
|
details |
font: [`face`, `color`, `size`] |
|
|
|
summary |
button: [`style`, `type`] |
|
|
|
|
progress: [`value`, max`] |
|
|
|
|
meter: [`value`, `min`, `max`, `optimum`] |
|
|
|
|
path: [all attributes] |
|
|