Allowed Attributes in Wikitext

Wikidot has an arbitrary and inconsistent limit of which attributes are passed from blocks into HTML tags. It’s usually id, class, style, and possibly other attributes when Wikidot developers remembered.

However we shouldn’t just all all attributes through, as they could run trusted scripts or expose other security issues.

Instead we have a premade list of which attributes are permitted and which are not:

Attribute Name	Affected HTML Elements	Allowed?	Rationale

Attribute Name	Affected HTML Elements	Allowed?	Rationale
`accept`	`<form>`, `<input>`	YES	Affects the behavior of a file picker.
`accept-charset`	`<form>`	NO	The character set should be set at the platform level.
`accesskey`	Global attribute	NO	Could be used to hijack user focus.
`action`	`<form>`	NO	Allows submitting a form to an arbitrary destination.
`align`	`<applet>`, `<caption>`, `<col>`, `<colgroup>`, `<hr>`, `<iframe>`, `<img>`, `<table>`, `<tbody>`, `<td>`, `<tfoot>`, `<th>`, `<thead>`, `<tr>`	YES	Cosmetic attribute.
`allow`	`<iframe>`	NO	Can permit the child iframe to have access to browser resources like the microphone.
`alt`	`<applet>`, `<area>`, `<img>`, `<input>`	YES	Alt text is important for accessibility.
`aria-*`	Global attribute	YES	Permits users to add ARIA attributes to enhance accessibility.
`async`	`<script>`	NO	Only affects scripts, which users cannot load.
`autocapitalize`	Global attribute	YES	Affects capitalization in input fields.
`autocomplete`	`<form>`, `<input>`, `<select>`, `<textarea>`	NO	Could be used to steal credentials by mimicking username or password fields.
`autofocus`	`<form>`, `<input>`, `<select>`, `<textarea>`	NO	Could be used to hijack user focus.
`autoplay`	`<audio>`, `<video>`	YES	Users can configure their browsers to block this, and it can be used to narrative effect.
`background`*	`<body>`, `<table>`, `<td>`, `<th>`	YES	Cosmetic attribute.
`bgcolor`*	`<body>`, `<col>`, `<colgroup>`, `<marquee>`, `<table>`, `<tbody>`, `<tfoot>`, `<td>`, `<th>`, `<tr>`	YES	Cosmetic attribute.
`border`*	`<img>`, `<object>`, `<table>`	YES	Cosmetic attribute.
`buffered`	`<audio>`, `<video>`	YES	Optimizing media buffering.
`capture`	`<input>`	NO	Allows media capture resources (e.g. camera) to be accessed.
`challenge`*	`<keygen>`	NO	Deprecated and involves a security mechanism.
`charset`	`<meta>`, `<script>`	NO	The character set should be set at the platform level.
`checked`	`<command>`, `<input>`	YES	Affects whether an input starts with a truthy value.
`cite`	`<blockquote>`, `<del>`, `<ins>`, `<q>`	YES	Allows citing the origin of contained elements.
`class`	Global attribute.	YES	Cosmetic attribute.
`code`	`<applet>`	NO	Applets are not permitted.
`codebase`	`<applet>`	NO	Applets are not permitted.
`color`*	`<basefont>`, `<font>`, `<hr>`	NO	Only permitted on `<hr>`, likely source of user error (e.g. adding it to `[[span]]`).
`cols`	`<textarea>`	YES	Cosmetic attribute.
`colspan`	`<td>`, `<th>`	YES	Cosmetic attribute.
`content`	`<meta>`	NO	Meta attributes are set at the site level.
`contenteditable`	Global attribute.	YES	Allows changing intractability of static elements.
`contextmenu`^†	Global attribute.	NO	Experimental attribute.
`controls`	`<audio>`, `<video>`	YES	Allows exposing media controls.
`coords`	`<area>`	YES	Cosmetic attribute.
`crossorigin`	`<audio>`, `<img>`, `<link>`, `<script>`, `<video>`	NO	Affecting cross-origin settings is a possible security issue.
`csp`^†	`<iframe>`	NO	Experimental attribute.
`data-*`	Global attribute.	YES	Allows users to add data tags to their DOM elements.
`datetime`	`<del>`, `<ins>`, `<time>`	YES	Useful metadata.
`decoding`	`<ins>`	YES	Allows optimizing page rendering.
`default`	`<track>`	YES	Configures media player behavior.
`defer`	`<script>`	NO	Only affects scripts, which users cannot load.
`dir`	Global attribute.	YES	Allows setting text direction for cosmetics and internationalization.
`dirname`	`<input>`, `<textarea>`	YES	Input field customization.
`disabled`	`<button>`, `<command>`, `<fieldset>`, `<input>`, `<keygen>`, `<optgroup>`, `<option>`, `<select>`, `<textarea>`	YES	Affects field interactivity.
`download`	`<a>`, `<area>`	YES	Allows links to force a download.
`draggable`	Global attribute.	YES	Allows making elements as draggable.
`enctype`	`<form>`	NO	Forms are not allowed to `POST` remotely.
`enterkey-hint`^†	`<textarea>`, `contenteditable`	NO	Experimental attribute.
`for`	`<label>`, `<output>`	YES	Allows parenting elements.
`form`	`<button>`, `<fieldset>`, `<input>`, `<keygen>`, `<label>`, `<meter>`, `<object>`, `<output>`, `<progress>`, `<select>`, `<textarea>`	YES	Allows constructing forms.
`formaction`	`<button>`, `<input>`	NO	Allows setting a form’s action.
`formenctype`	`<button>`, `<input>`	NO	Allows setting a form’s content type.
`formmethod`	`<button>`, `<input>`	NO	Allows setting a form’s method type.
`formnovalidate`	`<button>`, `<input>`	NO	Allows setting a form’s validation type.
`formtarget`	`<button>`, `<input>`	NO	Allows setting a form’s target.
`frameborder`	`<iframe>`	YES	Deprecated. However, it is widely used on Wikidot and is safe to permit users to set.
`headers`	`<td>`, `<th>`	YES	Customizing the IDs of table elements.
`height`*	`<canvas>`, `<embed>`, `<iframe>`, `<img>`, `<input>`, `<object>`, `<video>`	YES	Cosmetic attribute.
`hidden`	Global attribute.	YES	Cosmetic attribute.
`high`	`<meter>`	YES	Allows customizing a meter element.
`href`	`<a>`, `<area>`, `<base>`, `<link>`