Script Attack Protection: Whitelisted Custom Code Elements and Attributes – Knack

The Script Attack Protection setting prevents the storage and execution of specific custom code in record values and views that is not whitelisted (see list below). The locations where Script Attack Protection is applied can be found here.

Please contact us at support@knack.com if you're using a code element that you would like to see included in this whitelist.

Note: Script Attack Protection is not applied to the API & Code section of the app. Additionally Rich Text views continue to allow scripts when this setting is enabled.

Allowed Tags	Allowed Attributes	Allowed Self Closing Tags	Allowed Schemes
h1	a: ['style']	img	http
h2	a: ['href']	br	https
h3	a: ['name']	hr	ftp
h4	a: ['target']	area	mailto
h5	h1: [`style`]	base	href
h6	h2: [`style`]	basefont	src
blockquote	h3: [`style`]	input	cite
p	h4: [`style`]	link
del	h5: [`style`]	meta
a	h6: [`style`]
ul	blockquote: [`style`]
ol	p: [`style`]
nl	del: [`style`]
li	ul: [`style`]
b	ol: [`style`]
i	nl: [`style`]
strong	li: [`style`]
em	b: [`style`]
strike	i: [`style`]
code	strong: [`style`]
hr	em: [`style`]
br	strike: [`style`]
div	code: [`style`]
table	hr: [`style`]
thead	br: [`style`]
caption	div: [`style`]
tbody	table: [`style`]
tr	thead: [`style`]
th	th: [`style`]
td	td: [`style`]
pre	tr: [`style`]
iframe	tbody: [`style`]
img	caption: [`style`]
span	pre: [`style`]
font	span: [`style`]
meter	href
button	align
progress	iframe
path	center
small	img
var	iframe: [all attributes]
sub	img: [all attributes]
sup	id
	class
	font: [`face`, `color`, `size`]
	button: [`style`, `type`]
	progress: [`value`, max`]
	meter: [`value`, `min`, `max`, `optimum`]
	path: [all attributes]

Articles in this section

Related articles