Allowed Attributes in Wikitext

Wikidot has an arbitrary and inconsistent limit of which attributes are passed from blocks into HTML tags. It’s usually id, class, style, and possibly other attributes when Wikidot developers remembered.

However we shouldn’t just all all attributes through, as they could run trusted scripts or expose other security issues.

Instead we have a premade list of which attributes are permitted and which are not:

Attribute Name	Affected HTML Elements	Allowed?	Rationale

Attribute Name	Affected HTML Elements	Allowed?	Rationale
`accept`	`<form>`, `<input>`	YES	Affects the behavior of a file picker.
`accept-charset`	`<form>`	NO	The character set should be set at the platform level.
`accesskey`	Global attribute	NO	Could be used to hijack user focus.
`action`	`<form>`	NO	Allows submitting a form to an arbitrary destination.
`align`	`<applet>`, `<caption>`, `<col>`, `<colgroup>`, `<hr>`, `<iframe>`, `<img>`, `<table>`, `<tbody>`, `<td>`, `<tfoot>`, `<th>`, `<thead>`, `<tr>`	YES	Cosmetic attribute.
`allow`	`<iframe>`	NO	Can permit the child iframe to have access to browser resources like the microphone.
`alt`	`<applet>`, `<area>`, `<img>`, `<input>`	YES	Alt text is important for accessibility.
`aria-*`	Global attribute	YES	Permits users to add ARIA attributes to enhance accessibility.
`async`	`<script>`	NO	Only affects scripts, which users cannot load.
`autocapitalize`	Global attribute	YES	Affects capitalization in input fields.
`autocomplete`	`<form>`, `<input>`, `<select>`, `<textarea>`	NO	Could be used to steal credentials by mimicking username or password fields.
`autofocus`	`<form>`, `<input>`, `<select>`, `<textarea>`	NO	Could be used to hijack user focus.
`autoplay`	`<audio>`, `<video>`	YES	Users can configure their browsers to block this, and it can be used to narrative effect.
`background`*	`<body>`, `<table>`, `<td>`, `<th>`	YES	Cosmetic attribute.
`bgcolor`*	`<body>`, `<col>`, `<colgroup>`, `<marquee>`, `<table>`, `<tbody>`, `<tfoot>`, `<td>`, `<th>`, `<tr>`	YES	Cosmetic attribute.
`border`*	`<img>`, `<object>`, `<table>`	YES	Cosmetic attribute.
`buffered`	`<audio>`, `<video>`	YES	Optimizing media buffering.
`capture`	`<input>`	NO	Allows media capture resources (e.g. camera) to be accessed.
`challenge`*	`<keygen>`	NO	Deprecated and involves a security mechanism.
`charset`	`<meta>`, `<script>`	NO	The character set should be set at the platform level.
`checked`	`<command>`, `<input>`	YES	Affects whether an input starts with a truthy value.
`cite`	`<blockquote>`, `<del>`, `<ins>`, `<q>`	YES	Allows citing the origin of contained elements.
`class`	Global attribute.	YES	Cosmetic attribute.
`code`	`<applet>`	NO	Applets are not permitted.
`codebase`	`<applet>`	NO	Applets are not permitted.
`color`*	`<basefont>`, `<font>`, `<hr>`	NO	Only permitted on `<hr>`, likely source of user error (e.g. adding it to `[[span]]`).
`cols`	`<textarea>`	YES	Cosmetic attribute.
`colspan`	`<td>`, `<th>`	YES	Cosmetic attribute.
`content`	`<meta>`	NO	Meta attributes are set at the site level.
`contenteditable`	Global attribute.	YES	Allows changing intractability of static elements.
`contextmenu`^†	Global attribute.	NO	Experimental attribute.
`controls`	`<audio>`, `<video>`	YES	Allows exposing media controls.
`coords`	`<area>`	YES	Cosmetic attribute.
`crossorigin`	`<audio>`, `<img>`, `<link>`, `<script>`, `<video>`	NO	Affecting cross-origin settings is a possible security issue.
`csp`^†	`<iframe>`	NO	Experimental attribute.
`data-*`	Global attribute.	YES	Allows users to add data tags to their DOM elements.
`datetime`	`<del>`, `<ins>`, `<time>`	YES	Useful metadata.
`decoding`	`<ins>`	YES	Allows optimizing page rendering.
`default`	`<track>`	YES	Configures media player behavior.
`defer`	`<script>`	NO	Only affects scripts, which users cannot load.
`dir`	Global attribute.	YES	Allows setting text direction for cosmetics and internationalization.
`dirname`	`<input>`, `<textarea>`	YES	Input field customization.
`disabled`	`<button>`, `<command>`, `<fieldset>`, `<input>`, `<keygen>`, `<optgroup>`, `<option>`, `<select>`, `<textarea>`	YES	Affects field interactivity.
`download`	`<a>`, `<area>`	YES	Allows links to force a download.
`draggable`	Global attribute.	YES	Allows making elements as draggable.
`enctype`	`<form>`	NO	Forms are not allowed to `POST` remotely.
`enterkey-hint`^†	`<textarea>`, `contenteditable`	NO	Experimental attribute.
`for`	`<label>`, `<output>`	YES	Allows parenting elements.
`form`	`<button>`, `<fieldset>`, `<input>`, `<keygen>`, `<label>`, `<meter>`, `<object>`, `<output>`, `<progress>`, `<select>`, `<textarea>`	YES	Allows constructing forms.
`formaction`	`<button>`, `<input>`	NO	Allows setting a form’s action.
`formenctype`	`<button>`, `<input>`	NO	Allows setting a form’s content type.
`formmethod`	`<button>`, `<input>`	NO	Allows setting a form’s method type.
`formnovalidate`	`<button>`, `<input>`	NO	Allows setting a form’s validation type.
`formtarget`	`<button>`, `<input>`	NO	Allows setting a form’s target.
`headers`	`<td>`, `<th>`	YES	Customizing the IDs of table elements.
`height`*	`<canvas>`, `<embed>`, `<iframe>`, `<img>`, `<input>`, `<object>`, `<video>`	YES	Cosmetic attribute.
`hidden`	Global attribute.	YES	Cosmetic attribute.
`high`	`<meter>`	YES	Allows customizing a meter element.
`href`	`<a>`, `<area>`, `<base>`, `<link>`	YES	Allows creating links.
`hreflang`	`<a>`, `<area>`, `<link>`	YES	Allows specifying the language of the linked resource.
`http-equiv`	`<meta>`	NO	Meta attributes are set at the site level.
`icon`	`<command>`	NO	Command is deprecated.
`id`	Global attribute.	YES	Cosmetic attribute.
`importance`^†	`<iframe>`, `<img>`, `<link>`, `<script>`	NO	Experimental attribute.
`integrity`	`<link>`, `<script>`	NO	Users cannot pull styling or scripts.
`intrinsic-size`*	`<img>`	NO	Deprecated attribute.
`inputmode`	`<textarea>`, `contenteditable`	YES	Allows setting the type of text input.
`ismap`	`<img>`	YES	Allows utilizing image maps.
`itemprop`	Global attribute.	YES	Allows adding properties to elements.
`keytype`	`<keygen>`	NO	Deprecated and involves a security mechanism.
`kind`	`<track>`	YES	Configures media player behavior.
`label`	`<optgroup>`, `<option>`, `<track>`	YES	Sets a title for this element.
`lang`	Global attribute.	YES	Defines the language used in this element.
`language`*	`<script>`	NO	Deprecated, and users cannot load scripts.
`loading`^†	`<img>`, `<iframe>`	NO	Experimental attribute.
`list`	`<input>`	YES	Allows setting a list of premade options.
`loop`	`<audio>`, `<bgsound>`, `<marquee>`, `<video>`	YES	Configures media player behavior.
`low`	`<meter>`	YES	Allows customizing a meter element.
`manifest`*	`<html>`	NO	Deprecated and involves document construction.
`max`	`<input>`, `<meter>`, `<progress>`	YES	Allows customizing element limits.
`maxlength`	`<input>`, `<textarea>`	YES	Allows customizing element limits.
`minlength`	`<input>`, `<textarea>`	YES	Allows customizing element limits.
`media`	`<a>`, `<area>`, `<link>`, `<source>`, `<style>`	NO	Not well-used or supported.
`method`	`<form>`	NO	Allows setting a form’s method.
`min`	`<input>`, `<meter>`	YES	Allows customizing element limits.
`multiple`	`<input>`, `<select>`	YES	Allows multiple values to be selected or inputted.
`muted`	`<audio>`, `<video>`	YES	Configures media player behavior.
`name`	`<button>`, `<form>`, `<fieldset>`, `<iframe>`, `<input>`, `<keygen>`, `<object>`, `<select>`, `<textarea>`, `<map>`, `<meta>`, `<param>`	YES	Names the element.
`novalidate`	`<form>`	NO	Allows setting a form’s validation option.
`open`	`<details>`	NO	Not using details for collapsible elements.
`optimum`	`<meter>`	YES	Allows customizing a meter element.
`pattern`	`<input>`	YES	Requires that an input field match a particular regular expression.
`ping`	`<a>`, `<area>`	NO	Pingbacks are no longer in common use.
`placeholder`	`<input>`, `<textarea>`	YES	Allows setting a field placeholder hint.
`poster`	`<video>`	YES	Configures media player behavior.
`preload`	`<audio>`, `<video>`	YES	Configures media player behavior.
`radiogroup`*	`<command>`	NO	Deprecated attribute.
`readonly`	`<input>`, `<textarea>`	YES	Allows setting a field’s editability.
`referrerpolicy`^†	`<a>`, `<area>`, `<iframe>`, `<img>`, `<link>`, `<script>`	NO	Experimental attribute, restricts referrer.
`rel`	`<a>`, `<area>`, `<link>`	NO	Allows setting referrer and opener policy.
`required`	`<input>`, `<select>`, `<textarea>`	YES	Whether an input element is required or not.
`reversed`	`<ol>`	YES	Cosmetic attribute.
`role`	Global attribute.	YES	ARIA attribute.
`rows`	`<textarea>`	YES	Cosmetic attribute.
`rowspan`	`<td>`, `<th>`	YES	Cosmetic attribute.
`sandbox`	`<iframe>`	NO	Can be used to escape iframe sandboxing.
`scope`	`<th>`	YES	Cosmetic attribute.
`scoped`*	`<style>`	NO	Deprecated attribute.
`selected`	`<option>`	YES	Affects whether an option starts selected.
`shape`	`<a>`, `<area>`	YES	Cosmetic attribute.
`size`	`<input>`, `<select>`	YES	Cosmetic attribute.
`sizes`	`<link>`, `<img>`, `<source>`	YES	Specifies the sizes this element can be.
`slot`	Global attribute.	NO	Further research on web components and slots is needed.
`span`	`<col>`, `<colgroup>`	YES	Cosmetic attribute.
`spellcheck`	Global attribute.	YES	Indicate whether the element should be spellchecked.
`src`	`<audio>`, `<embed>`, `<iframe>`, `<img>`, `<input>`, `<script>`, `<source>`, `<track>`, `<video>`	YES	The source of the media or object being included.
`srcdoc`	`<iframe>`	NO	The `src` attribute should be used instead. Additionally, it could be used to inject arbitrary HTML in an improper context.
`srclang`	`<track>`	YES	Allows setting subtitle language.
`srcset`	`<img>`, `<source>`	YES	Responsive media settings.
`start`	`<ol>`	YES	Cosmetic attribute.
`step`	`<input>`	YES	Cosmetic attribute.
`style`	Global attribute.	YES	Cosmetic attribute.
`summary`*	`<table>`	NO	Deprecated attribute.
`tabindex`	Global attribute.	YES	Allows setting tab order.
`target`	`<a>`, `<area>`, `<base>`, `<form>`	YES	Allows setting an element’s target.
`title`	Global attribute.	YES	Allows setting tooltips.
`translate`	Global attribute.	YES	Assists in localization and translation.
`type`	`<button>`, `<input>`, `<command>`, `<embed>`, `<object>`, `<script>`, `<source>`, `<style>`, `<menu>`	YES	Allows setting the element type.
`usemap`	`<img>`, `<input>`, `<object>`	YES	Allows utilizing image maps.
`value`	`<button>`, `<data>`, `<input>`, `<li>`, `<meter>`, `<option>`, `<progress>`, `<param>`	YES	Default value of the element.
`width`*	`<canvas>`, `<embed>`, `<iframe>`, `<img>`, `<input>`, `<object>`, `<video>`	YES	Cosmetic attribute.
`wrap`	`<textarea>`	YES	Cosmetic attribute.

* Item is deprecated.
^† Item is experimental.

See also: