Genpact Cora Knowledge Center


Configure HTML Sanitization



To protect HTML content against various attacks including cross-site scripting you must sanitize it. Using this functionality we enable our clients to have full control on the HTML content being displayed on Flowtime.

At present, HTML sanitization is enabled for Conversations View in Cora SeQuence. The HTML content saved in Cora SeQuence database, is sanitized before being fetched and displayed in the Conversations View, however, the actual content in the database remains unchanged.

HTML Sanitizer functionality is enabled by default with the deployment.
You can enable or disable this functionality from the HtmlSanitizationRules.xml file in the ~Shared Resources\Components\HtmlSanitizer folder in your system.

Sample HtmlSanitizationRules.xml file template

<?xml version="1.0"?>
<Rules enabled="true" allowDataAttributes="false" keepChildNodes="false">
    <Tags clearDefaults="false">
    <Attributes clearDefaults="false">
    <CssProperties clearDefaults="false" >
    <AtRules clearDefaults="false" >
    <Schemes clearDefaults="false">
    <UriAttributes clearDefaults="false" >

XML Elements

enabledtrue (default)
Enables or disables HTML sanitization
false (default)
Allows usage of data attributes
false (default)
Allows to keep intact the content from restricted nodes.

In XML file, following are the default configuration elements and parameters supported.

Allowed attributes

background-clip, background-origin, background-size, border-bottom-left-radius, border-bottom-right-radius, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-radius, border-top-left-radius, border-top-right-radius, font-feature-settings, font-kerning, font-language-override, font-size-adjust, font-stretch, font-synthesis, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, outline-offset, overflow-wrap, overflow-x, overflow-y, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style

Allowed tags

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr

Allowed CSS properties

background, background-attachment, background-color, background-image, background-position, background-repeat, border, border-bottom, border-bottom-color, border-bottom-style, border-bottom-width, border-collapse, border-color, border-left, border-left-color, border-left-style, border-left-width, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-size, font-style, font-variant, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-style, outline-width, overflow, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index

Allowed CSS at-rules

namespace, style

Allowed Uri schemes

http, https

Allowed Uri attributes

action, background, dynsrc, href, lowsrc, src

Customized sanitization rules

You can customize the HTML sanitization rules per your need by adding new rules to the HtmlSanitizationRules XML file. 

Do not modify the default HtmlSanitizationRules.xml file.

  1. Create a copy of the default HTML sanitization rules XML file in the following locations in your system, and rename the file.
    For Administration:
    ~\Administration\Shared Resources\Components\HtmlSanitizer
    For Flowtime:
    ~\Flowtime\Shared Resources\Components\HtmlSanitizer
  2. Add a key to the </appSettings>: section in web.config file, with new XML file name as value for this key.
    <add key="PNMsoft.Sequence.Web.Security.HtmlSanitization.RuleFileName" value="new XML file name" />