Script Attack Protection: Protected Areas

Danielle Kellogg Updated by Danielle Kellogg

The below locations are those where Script Attack Protection is applied (when the protection is enabled). Entering non-whitelisted code into any of these areas will not be stored. These tags and attributes (whitelist) are still allowed in the protected locations below:

Protected Builder Areas

These areas are protected on all apps, regardless of the security setting.


  • Name
  • Slug


  • Name


  • Name
  • Default Values
  • Formatting

Page (scene)

  • Name


  • Name
  • Title
  • Description
  • Label
  • "Reload Form" text
  • "Submit" button text
  • "No Data" text
  • Links
  • Groups
  • Columns
  • Field inputs

 The following areas are protected when this setting is enabled:

  • All field values
  • On import, all imported field values
Rich Text views continue to allow scripts when this setting is enabled.

How did we do?

Script Attack Protection: Whitelisted Custom Code Elements and Attributes