Script Attack Protection: Whitelisted Custom Code Elements and Attributes

This article shares custom code elements and attributes that are not whitelisted when using the Script Attack Protection setting.

The Script Attack Protection setting prevents the storage and execution of specific custom code in record values and views that are not whitelisted (see list below). The locations where Script Attack Protection is applied can be found here.

Please contact our support team via the chat widget in the Builder or by submitting this form if you're using a code element that you would like to see included in this whitelist.

Note: Script Attack Protection is not applied to the API & Code section of the app. Additionally, Rich Text views continue to allow scripts when this setting is enabled.

Allowed Tags	Allowed Attributes	Allowed Self Closing Tags	Allowed Schemes
h1	a: ['style']	img	http
h2	a: ['href']	br	https
h3	a: ['name']	hr	ftp
h4	a: ['target']	area	mailto
h5	h1: [`style`]	base	href
h6	h2: [`style`]	basefont	src
blockquote	h3: [`style`]	input	cite
p	h4: [`style`]	link
del	h5: [`style`]	meta
a	h6: [`style`]
ul	blockquote: [`style`]
ol	p: [`style`]
nl	del: [`style`]
li	ul: [`style`]
b	ol: [`style`]
i	nl: [`style`]
strong	li: [`style`]
em	b: [`style`]
strike	i: [`style`]
code	strong: [`style`]
hr	em: [`style`]
br	strike: [`style`]
div	code: [`style`]
table	hr: [`style`]
thead	br: [`style`]
caption	div: [`style`]
tbody	table: [`style`]
tr	thead: [`style`]
th	th: [`style`]
td	td: [`style`]
pre	tr: [`style`]
iframe	tbody: [`style`]
img	caption: [`style`]
span	pre: [`style`]
font	span: [`style`]
meter	href
button	align
progress	iframe
path	center
small	img
var	iframe: [all attributes]
sub	img: [all attributes]
sup	id
	class
	font: [`face`, `color`, `size`]
	button: [`style`, `type`]
	progress: [`value`, max`]
	meter: [`value`, `min`, `max`, `optimum`]
	path: [all attributes]