Allowed Attributes in Wikitext

Owned by aismallard
Last updated: Mar 09, 2022
4 min read

Wikidot has an arbitrary and inconsistent limit of which attributes are passed from blocks into HTML tags. It’s usually id, class, style, and possibly other attributes when Wikidot developers remembered.

However we shouldn’t just all all attributes through, as they could run trusted scripts or expose other security issues.

Instead we have a premade list of which attributes are permitted and which are not:

Attribute Name

Affected HTML Elements

Allowed?

Rationale

Attribute Name

Affected HTML Elements

Allowed?

Rationale

accept

<form>, <input>

YES

Affects the behavior of a file picker.

accept-charset

<form>

NO

The character set should be set at the platform level.

accesskey

Global attribute

NO

Could be used to hijack user focus.

action

<form>

NO

Allows submitting a form to an arbitrary destination.

align

<applet>, <caption>, <col>, <colgroup>, <hr>, <iframe>, <img>, <table>, <tbody>, <td>, <tfoot>, <th>, <thead>, <tr>

YES

Cosmetic attribute.

allow

<iframe>

NO

Can permit the child iframe to have access to browser resources like the microphone.

alt

<applet>, <area>, <img>, <input>

YES

Alt text is important for accessibility.

aria-*

Global attribute

YES

Permits users to add ARIA attributes to enhance accessibility.

async

<script>

NO

Only affects scripts, which users cannot load.

autocapitalize

Global attribute

YES

Affects capitalization in input fields.

autocomplete

<form>, <input>, <select>, <textarea>

NO

Could be used to steal credentials by mimicking username or password fields.

autofocus

<form>, <input>, <select>, <textarea>

NO

Could be used to hijack user focus.

autoplay

<audio>, <video>

YES

Users can configure their browsers to block this, and it can be used to narrative effect.

background*

<body>, <table>, <td>, <th>

YES

Cosmetic attribute.

bgcolor*

<body>, <col>, <colgroup>, <marquee>, <table>, <tbody>, <tfoot>, <td>, <th>, <tr>

YES

Cosmetic attribute.

border*

<img>, <object>, <table>

YES

Cosmetic attribute.

buffered

<audio>, <video>

YES

Optimizing media buffering.

capture

<input>

NO

Allows media capture resources (e.g. camera) to be accessed.

challenge*

<keygen>

NO

Deprecated and involves a security mechanism.

charset

<meta>, <script>

NO

The character set should be set at the platform level.

checked

<command>, <input>

YES

Affects whether an input starts with a truthy value.

cite

<blockquote>, <del>, <ins>, <q>

YES

Allows citing the origin of contained elements.

class

Global attribute.

YES

Cosmetic attribute.

code

<applet>

NO

Applets are not permitted.

codebase

<applet>

NO

Applets are not permitted.

color*

<basefont>, <font>, <hr>

NO

Only permitted on <hr>, likely source of user error (e.g. adding it to [[span]]).

cols

<textarea>

YES

Cosmetic attribute.

colspan

<td>, <th>

YES

Cosmetic attribute.

content

<meta>

NO

Meta attributes are set at the site level.

contenteditable

Global attribute.

YES

Allows changing intractability of static elements.

contextmenu†

Global attribute.

NO

Experimental attribute.

controls

<audio>, <video>

YES

Allows exposing media controls.

coords

<area>

YES

Cosmetic attribute.

crossorigin

<audio>, <img>, <link>, <script>, <video>

NO

Affecting cross-origin settings is a possible security issue.

csp†

<iframe>

NO

Experimental attribute.

data-*

Global attribute.

YES

Allows users to add data tags to their DOM elements.

datetime

<del>, <ins>, <time>

YES

Useful metadata.

decoding

<ins>

YES

Allows optimizing page rendering.

default

<track>

YES

Configures media player behavior.

defer

<script>

NO

Only affects scripts, which users cannot load.

dir

Global attribute.

YES

Allows setting text direction for cosmetics and internationalization.

dirname

<input>, <textarea>

YES

Input field customization.

disabled

<button>, <command>, <fieldset>, <input>, <keygen>, <optgroup>, <option>, <select>, <textarea>

YES

Affects field interactivity.

download

<a>, <area>

YES

Allows links to force a download.

draggable

Global attribute.

YES

Allows making elements as draggable.

enctype

<form>

NO

Forms are not allowed to POST remotely.

enterkey-hint†

<textarea>, contenteditable

NO

Experimental attribute.

for

<label>, <output>

YES

Allows parenting elements.

form

<button>, <fieldset>, <input>, <keygen>, <label>, <meter>, <object>, <output>, <progress>, <select>, <textarea>

YES

Allows constructing forms.

formaction

<button>, <input>

NO

Allows setting a form’s action.

formenctype

<button>, <input>

NO

Allows setting a form’s content type.

formmethod

<button>, <input>

NO

Allows setting a form’s method type.

formnovalidate

<button>, <input>

NO

Allows setting a form’s validation type.

formtarget

<button>, <input>

NO

Allows setting a form’s target.

headers

<td>, <th>

YES

Customizing the IDs of table elements.

height*

<canvas>, <embed>, <iframe>, <img>, <input>, <object>, <video>

YES

Cosmetic attribute.

hidden

Global attribute.

YES

Cosmetic attribute.

high

<meter>

YES

Allows customizing a meter element.

href

<a>, <area>, <base>, <link>

YES

Allows creating links.

hreflang

<a>, <area>, <link>

YES

Allows specifying the language of the linked resource.

http-equiv

<meta>

NO

Meta attributes are set at the site level.

icon

<command>

NO

Command is deprecated.

id

Global attribute.

YES

Cosmetic attribute.

importance†

<iframe>, <img>, <link>, <script>

NO

Experimental attribute.

integrity

<link>, <script>

NO

Users cannot pull styling or scripts.

intrinsic-size*

<img>

NO

Deprecated attribute.

inputmode

<textarea>, contenteditable

YES

Allows setting the type of text input.

ismap

<img>

YES

Allows utilizing image maps.

itemprop

Global attribute.

YES

Allows adding properties to elements.

keytype

<keygen>

NO

Deprecated and involves a security mechanism.

kind

<track>

YES

Configures media player behavior.

label

<optgroup>, <option>, <track>

YES

Sets a title for this element.

lang

Global attribute.

YES

Defines the language used in this element.

language*

<script>

NO

Deprecated, and users cannot load scripts.

loading†

<img>, <iframe>

NO

Experimental attribute.

list

<input>

YES

Allows setting a list of premade options.

loop

<audio>, <bgsound>, <marquee>, <video>

YES

Configures media player behavior.

low

<meter>

YES

Allows customizing a meter element.

manifest*

<html>

NO

Deprecated and involves document construction.

max

<input>, <meter>, <progress>

YES

Allows customizing element limits.

maxlength

<input>, <textarea>

YES

Allows customizing element limits.

minlength

<input>, <textarea>

YES

Allows customizing element limits.

media

<a>, <area>, <link>, <source>, <style>

NO

Not well-used or supported.

method

<form>

NO

Allows setting a form’s method.

min

<input>, <meter>

YES

Allows customizing element limits.

multiple

<input>, <select>

YES

Allows multiple values to be selected or inputted.

muted

<audio>, <video>

YES

Configures media player behavior.

name

<button>, <form>, <fieldset>, <iframe>, <input>, <keygen>, <object>, <select>, <textarea>, <map>, <meta>, <param>

YES

Names the element.

novalidate

<form>

NO

Allows setting a form’s validation option.

open

<details>

NO

Not using details for collapsible elements.

optimum

<meter>

YES

Allows customizing a meter element.

pattern

<input>

YES

Requires that an input field match a particular regular expression.

ping

<a>, <area>

NO

Pingbacks are no longer in common use.

placeholder

<input>, <textarea>

YES

Allows setting a field placeholder hint.

poster

<video>

YES

Configures media player behavior.

preload

<audio>, <video>

YES

Configures media player behavior.

radiogroup*

<command>

NO

Deprecated attribute.

readonly

<input>, <textarea>

YES

Allows setting a field’s editability.

referrerpolicy†

<a>, <area>, <iframe>, <img>, <link>, <script>

NO

Experimental attribute, restricts referrer.

rel

<a>, <area>, <link>

NO

Allows setting referrer and opener policy.

required

<input>, <select>, <textarea>

YES

Whether an input element is required or not.

reversed

<ol>

YES

Cosmetic attribute.

role

Global attribute.

YES

ARIA attribute.

rows

<textarea>

YES

Cosmetic attribute.

rowspan

<td>, <th>

YES

Cosmetic attribute.

sandbox

<iframe>

NO

Can be used to escape iframe sandboxing.

scope

<th>

YES

Cosmetic attribute.

scoped*

<style>

NO

Deprecated attribute.

selected

<option>

YES

Affects whether an option starts selected.

shape

<a>, <area>

YES

Cosmetic attribute.

size

<input>, <select>

YES

Cosmetic attribute.

sizes

<link>, <img>, <source>

YES

Specifies the sizes this element can be.

slot

Global attribute.

NO

Further research on web components and slots is needed.

span

<col>, <colgroup>

YES

Cosmetic attribute.

spellcheck

Global attribute.

YES

Indicate whether the element should be spellchecked.

src

<audio>, <embed>, <iframe>, <img>, <input>, <script>, <source>, <track>, <video>

YES

The source of the media or object being included.

srcdoc

<iframe>

NO

The src attribute should be used instead. Additionally, it could be used to inject arbitrary HTML in an improper context.

srclang

<track>

YES

Allows setting subtitle language.

srcset

<img>, <source>

YES

Responsive media settings.

start

<ol>

YES

Cosmetic attribute.

step

<input>

YES

Cosmetic attribute.

style

Global attribute.

YES

Cosmetic attribute.

summary*

<table>

NO

Deprecated attribute.

tabindex

Global attribute.

YES

Allows setting tab order.

target

<a>, <area>, <base>, <form>

YES

Allows setting an element’s target.

title

Global attribute.

YES

Allows setting tooltips.

translate

Global attribute.

YES

Assists in localization and translation.

type

<button>, <input>, <command>, <embed>, <object>, <script>, <source>, <style>, <menu>

YES

Allows setting the element type.

usemap

<img>, <input>, <object>

YES

Allows utilizing image maps.

value

<button>, <data>, <input>, <li>, <meter>, <option>, <progress>, <param>

YES

Default value of the element.

width*

<canvas>, <embed>, <iframe>, <img>, <input>, <object>, <video>

YES

Cosmetic attribute.

wrap

<textarea>

YES

Cosmetic attribute.

* Item is deprecated.
† Item is experimental.

See also:

Â