Default TAGs ATTRIBUTEs allow list & blocklist
(Note: the following information refer to the version 1.0.8 of the library)
DOMPurify default behavior will permit an allow-list of tags and attributes inside the input.
- check the lists in src/tags.js and src/attrs.js
- what's not in the allow-list is implicitly removed
If desired, tag or attribute can be explicitly blocklisted specifying FORBID_TAGS/FORBIT_ATTR in the sanitizing config. By default they are empty, hence not considered.
The following are the lists of defaults that will not be allowed by DOMPurify sanitizing:
(compare HTML5 tutorials - All HTML5 Tags with TAGS)
appletbasebasefontcommandembedframeframesetiframekeygenlinkmetanoframesnoscriptobjectparamscripttitle- [this list may be incomplete]
(compare MDN HTML attribute reference with ATTRS)
accept-charsetaccesskeyallowasyncautocapitalizeautofocusautoplaybufferedchallengecharsetcodecodebasecontentcontenteditablecontextmenucodebasecontentcontenteditablecontextmenucontrolsdatadecodingdeferdirnamedraggabledropzoneformformactionhttp-equiviconimportanceitempropkeytypekindlanguagelazyloadmanifestminlengthmutedpingsandboxscopedslotspellchecksrcdocsrclangstarttargettranslatewrap- [this list may be incomplete]
Note: attributes are blocklisted regardless of their value.
Note: data-*/aria-* attributes are allowed by default and controlled by specifying ALLOW_DATA_ATTR/ALLOW_ARIA_ATTR
- [TBA]
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
- [TBA]
Note: attributes are blocklisted regardless of their value.
- [TBA]
Note: attributes are blocklisted regardless of their value.