Allowed HTML Tags and Attributes | Pricefx Knowledge Base

In some areas of the application, Pricefx allows limited text formatting by using HTML.

However, not all HTML can be rendered safely. HTML may contain scripts, unsupported elements, or styling that could be misused when dynamic content entered by one user is displayed to another user. For this reason, Pricefx sanitizes HTML and renders only a restricted subset of tags and attributes.

The list of allowed tags and attributes below applies to places where HTML rendering is supported, for example setMessage() in configurators and the Messages editor.

Feature Flags Affecting HTML Rendering

Since version 17.0, the actual rendering of HTML also depends on active security controls. The allowed tags listed on this page are therefore not an unconditional guarantee that a tag will always be rendered as HTML in every UI context.

HTML Sanitization

A feature flag named disableHtmlInjection is available for stricter sanitization. When enabled, HTML injection is disabled for relevant inputs by stripping all HTML tags. The default value is false, which preserves the existing behavior unless the flag is explicitly enabled.

Hyperlink Sanitization

In the default application behavior (since 17.0), raw HTML anchor tags (<a>) in affected UI contexts are not rendered as clickable links but are displayed as plain text. This behavior differs from pre-17.0 versions, where such hyperlinks could be rendered as links.

If needed for backward compatibility, the previous behavior can be restored on request through Pricefx Support.

Links configured through grid columns of type Link are not affected by this behavior and continue to work as links.

Allowed HTML Tags

When HTML rendering is enabled and no stricter sanitization rule applies, the following HTML tags are allowed:

h1, h2, h3, h4, h5, h6, blockquote, p, ul, ol, li, b, i, strong, em, strike, code, hr, br, div, span, pre, center, font, u, img, a

Allowed HTML Attributes

When HTML rendering is enabled and no stricter sanitization rule applies, the following attributes are allowed:

div: style
span: style
p: style
font: face, style, color, size
a: href, name, target
img: src

Allowed URL Schemes

The following URL schemes are allowed for links:

http, https

For images, the following URL schemes are allowed:

data, http, https

Important Note about Links

Although the <a> tag belongs to the allowed HTML subset, its rendering depends on the active sanitization settings and on the UI context in which the content is displayed. In particular, raw HTML hyperlinks can be suppressed by the hyperlink kill switch or by stricter HTML sanitization.

If you need clickable links in grids, use a grid column configured with attribute type or element format type Link.

See also Supported and Unsupported Characters in Data explaining how product data is treated if it contains the greater than > and less than < symbols.