Allowed HTML Tags and Attributes

In some areas of the application, Pricefx allows limited text formatting by using HTML.

However, not all HTML can be rendered safely. HTML may contain scripts, unsupported elements, or styling that could be misused when dynamic content entered by one user is displayed to another user. For this reason, Pricefx sanitizes HTML and renders only a restricted subset of tags and attributes.

The list of allowed tags and attributes below applies to places where HTML rendering is supported, for example ConfiguratorEntry.setMessage() in configurators and the Messages editor.

Feature Flags Affecting HTML Rendering

Since version 17.0, the actual rendering of HTML also depends on active security controls. The allowed tags listed on this page are therefore not an unconditional guarantee that a tag will always be rendered as HTML in every UI context.

HTML Sanitization

Starting with version 17.0, HTML sanitization is enforced by default in Dashboards, specifically affecting content added via the DashboardController.addHTML()function in the Dashboard Controller. This measure prevents the execution of potentially malicious scripts (XSS) within dashboard views.

If a specific business use case requires the use of non-standard HTML or scripts in a dashboard that are blocked by default, administrators can use a feature flag to disable sanitization for that specific partition. However, it is recommended to use standard platform features, such as controller buttons, instead of custom HTML buttons with complex JavaScript.

In the default application behavior (since 17.0), raw HTML anchor tags (<a>) in affected UI contexts are not rendered as clickable links but are displayed as plain text. This behavior differs from pre-17.0 versions, where such hyperlinks could be rendered as links.

If needed for backward compatibility, the previous behavior can be restored on request through Pricefx Support.

Links configured through grid columns of type Link are not affected by this behavior and continue to work as links.

Allowed HTML Tags

When HTML rendering is enabled and no stricter sanitization rule applies, the following HTML tags are allowed:

h1, h2, h3, h4, h5, h6, blockquote, p, ul, ol, li, b, i, strong, em, strike, code, hr, br, div, span, pre, center, font, u, img, a

Allowed HTML Attributes

When HTML rendering is enabled and no stricter sanitization rule applies, the following attributes are allowed:

div: style
span: style
p: style
font: face, style, color, size
a: href, name, target
img: src

Allowed URL Schemes

The following URL schemes are allowed for links:

http, https

For images, the following URL schemes are allowed:

data, http, https

Following URLs are always allowed for links:

pricefx.com, pricefx.eu, #

Although the <a> tag belongs to the allowed HTML subset, its rendering depends on the active sanitization settings and on the UI context in which the content is displayed. In particular, raw HTML hyperlinks can be suppressed by the hyperlink kill switch or by stricter HTML sanitization.

If you need clickable links in grids, use a grid column configured with attribute type or element format type Link.

See also Supported and Unsupported Characters in Data explaining how product data is treated if it contains the greater than > and less than < symbols.