A common requirement for VividCharts users is the ability to display HTML field values from their ServiceNow data in their reports.
Parsing and sanitizing HTML values is an inexact science, given that oftentimes those values are copied and pasted from an email or some other source that may contain many characters that have special meaning within HTML (the “<” character is one such example).
When VividCharts encounters an HTML field, we filter the value against a list of approved tags to ensure that the output is rendered as accurately as possible and does not cause an issue with the other technologies powering our application. You can find the list of valid tags below.
a, abbr, address, area, article, aside, audio, b, base, bdi, bdo,
blockquote, body, br, button, canvas, caption, cite, code, col, colgroup,
data, datalist, dd, del, details, dfn, dialog, div, dl, dt, em, embed,
fieldset, figcaption, figure, footer, form, h1, h2, h3, h4, h5, h6, head,
header, hgroup, hr, html, i, iframe, img, input, ins, kbd, label, legend,
li, link, main, map, mark, meta, meter, nav, noscript, object, ol,
optgroup, option, output, p, picture, pre, progress, q, rp, rt, ruby, s,
samp, section, select, small, source, span, strong, style, sub, summary,
sup, svg, table, tbody, td, template, textarea, tfoot, th, thead, time,
title, tr, track, u, ul, var, video, wbr
To see what tags are contained within an HTML field, you should use the code view option accessed by clicking the “<>” button in the WYSIWYG toolbar.
A notable omission from the list of valid tags is the script tag, often used in HTML to add interactive behavior, but also commonly used to expose vulnerabilities to bad actors. VividCharts excludes that tag from any rendered HTML to prioritize customer safety.
Additionally, HTML tags often contain additional information called attributes. ID’s and class names are the most common and are allowed by VividCharts. Other tag attributes may result in unexpected errors and we encourage them to be removed from your HTML field.