Server-side sanitization and using custom tags and attributes in responses
Server-side sanitization is applied to the alt.html and alt.markdown Q&A response fields to prevent stored cross-site scripting (XSS) attacks. QnABot on AWS uses the sanitize-html
For more information on default allowed HTML tags and attributes, see the default options
-
<img>,<details>, and<summary>tags -
The
styleattribute on<p>elements (restricted towhite-space: pre-line) -
The
translateattribute on<span>elements
Important
Any tags or attributes not in the allowlist will be removed from Q&A responses. If your responses use custom HTML tags or attributes, you must add them to the allowlist in sanitizeOutput.js.
Instructions for adding custom tags/attributes to the allowlist
To add custom tags or attributes to the sanitization allowlist:
-
Download the latest QnABot on AWS source code (v7.3.12 or later) from the GitHub repository (https://github.com/aws-solutions/qnabot-on-aws).
-
Open
source/lambda/es-proxy-layer/lib/sanitizeOutput.jsin the QnABot source code. -
Locate the
sanitizeParamsobject in thesanitizefunction. -
Add your custom tags to
allowedTags:allowedTags: sanitizeHtml.defaults.allowedTags.concat([ 'question', 'references', 'chatHistory', 'followUpMessage', 'details', 'summary', 'img', 'custom-tag', // add your custom tags here ]), -
Add custom attributes to
allowedAttributesif needed:allowedAttributes: { ...sanitizeHtml.defaults.allowedAttributes, a: ['href'], p: ['style'], span: ['translate'], 'custom-tag': ['src', 'width', 'height'], // add your custom attributes here }, -
Apply the same changes to
source/website/js/components/designer/sanitizeOutput.js. -
Rebuild and redeploy the solution following the instructions in the README.
Important
Only add tags and attributes that you have thoroughly reviewed for security implications. Adding unsafe tags or attributes could re-introduce XSS vulnerabilities.
