Directive Reference

html_sanitize_attribute

The `html_sanitize_attribute` directive specifies which HTML attributes are allowed when sanitizing HTML content.

NGINX module to sanitize HTML 5 with whitelisted elements, attributes and CSS · location
Syntaxhtml_sanitize_attribute attribute_name | attribute_name attribute_name ...;
Defaultnone
Contextlocation
Arguments1+

Description

The html_sanitize_attribute directive is part of the NGINX module designed for sanitizing HTML5 content. It allows users to define a whitelist of HTML attributes that are permitted when processing HTML elements. By using this directive, administrators can protect their applications from potentially harmful attributes that could lead to security vulnerabilities such as XSS (Cross-Site Scripting). The directive takes one or more argument values, each representing an attribute name that should be preserved in the sanitized output.

When a request is processed, the sanitizer evaluates the attributes of HTML elements against the list provided by html_sanitize_attribute. If an attribute is not on the whitelist, it will be removed from the output HTML. This feature works in conjunction with other directives that specify allowable HTML elements and CSS properties. It helps enforce a tighter security policy by ensuring that only safe attributes are included, thus maintaining control over the rendered HTML and mitigating risks associated with arbitrary content input.

Config Example

location /sanitize {
    html_sanitize_attribute src href;
    html_sanitize_attribute class id;
}

Ensure that all necessary attributes are whitelisted; otherwise, functionality may break due to missing attributes.

Use caution with attributes like 'style', which may introduce security risks if misconfigured.

Related Directives

html_sanitize_elementhtml_sanitize_style_propertyhtml_sanitize_url_protocolhtml_sanitize_url_domain
← Back to all directives