The Script Attack Protection setting prevents the storage and execution of specific custom code in record values and views that is not whitelisted (see list below). The locations where Script Attack Protection is applied can be found here.
Please contact us at support@knack.com if you're using a code element that you would like to see included in this whitelist.
Note: Script Attack Protection is not applied to the API & Code section of the app. Additionally Rich Text views continue to allow scripts when this setting is enabled.
Allowed Tags | Allowed Attributes | Allowed Self Closing Tags |
Allowed Schemes
|
h1 | a: ['style'] | img | http |
h2 | a: ['href'] | br | https |
h3 | a: ['name'] | hr | ftp |
h4 | a: ['target'] | area | mailto |
h5 | h1: [`style`] | base | href |
h6 | h2: [`style`] | basefont | src |
blockquote | h3: [`style`] | input | cite |
p | h4: [`style`] | link | |
del | h5: [`style`] | meta | |
a | h6: [`style`] | ||
ul | blockquote: [`style`] | ||
ol | p: [`style`] | ||
nl | del: [`style`] | ||
li | ul: [`style`] | ||
b | ol: [`style`] | ||
i | nl: [`style`] | ||
strong | li: [`style`] | ||
em | b: [`style`] | ||
strike | i: [`style`] | ||
code | strong: [`style`] | ||
hr | em: [`style`] | ||
br | strike: [`style`] | ||
div | code: [`style`] | ||
table | hr: [`style`] | ||
thead | br: [`style`] | ||
caption | div: [`style`] | ||
tbody | table: [`style`] | ||
tr | thead: [`style`] | ||
th | th: [`style`] | ||
td | td: [`style`] | ||
pre | tr: [`style`] | ||
iframe | tbody: [`style`] | ||
img | caption: [`style`] | ||
span | pre: [`style`] | ||
font | span: [`style`] | ||
meter | href | ||
button | align | ||
progress | iframe | ||
path | center | ||
small | img | ||
var | iframe: [all attributes] | ||
sub | img: [all attributes] | ||
sup | id | ||
class | |||
font: [`face`, `color`, `size`] | |||
button: [`style`, `type`] | |||
progress: [`value`, max`] | |||
meter: [`value`, `min`, `max`, `optimum`] | |||
path: [all attributes] |