The Movable Type User Manual

NOTE: This documentation is for Movable Type 3.2. If you are using a newer version, please see the documentation for Movable type 3.3x or Movable Type Enterprise.

Search

« SafeMode | Up | GenerateTrackBackRSS »

Chapter D: Configuration Directives

GlobalSanitizeSpec

Movable Type has a sanitize function that is automatically run against all comments and TrackBacks submitted to your blog and also any content produced by a template tag with the sanitize attribute defined (see Global Filters for more details).

This is done to remove any code (HTML or otherwise) that could compromise the security of your site. The function works by only allowing certain HTML tags defined by this setting. Any other tags, and all processing instructions (PHP or Javascript, for example) are stripped.

By default, Sanitize is turned on automatically for the following tags:

  • MTCommentAuthor
  • MTCommentEmail
  • MTCommentURL
  • MTCommentBody
  • MTPingTitle
  • MTPingURL
  • MTPingBlogName
  • MTPingExcerpt

If you want to turn off sanitize for one of these tags, you can use the sanitize attribute:

<MTPingTitle sanitize="0">

In addition, the sanitization process adds closing tags for any tags left open in the sanitized text. For example, if a visitor to your site opens a <b> tag and forgets the close it, the sanitize process will add a </b> tag in the most appropriate place it can find.

This configuration setting defines the default choice for all weblogs. It can be overridden on a per-weblog basis through use of the "Limit HTML tags" option on the weblog's General setting page. More discussion about the sanitize function can be found in the article entitled "Limiting HTML in Comments".

Default value: 

a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre

Example:

GlobalSanitizeSpec blockquote,div

Syntax:

The sanitize spec consists of HTML tag names separated by commas. For each tag, you must also list any attributes that you wish to allow, separated by spaces. Some examples:

This will allow a tags with the href attribute and b tags:

a href,b

This will allow p tags and br tags:

p,br/

Note the / in the br/ tag in this example. That is necessary because of the tag-closing feature mentioned above: if the parser sees only an opening <br> tag, it will think that it needs to close this tag at the end of the sanitized text. Adding the / after the tag name tells the parser that this tag does not need a closing tag.

Note that you must specify any allowed attributes for the tag, unless you want all of the attributes to be stripped. For example, if you allow the a tag, you would also want to allow the href attribute for that tag, or the following HTML:

<a href="http://www.example.com/">

would be turned into this:

<a>

which probably isn't what you want.

If you wish to allow a certain attribute for any HTML tag in which it might appear, use a * as the tag name, followed by the list of attributes. For example:

br/,p,blockquote,* style

This will allow any of the following:

<br style="..." />
<p style="..." />
<blockquote style="...">

Note that you must still explicitly list any tags that you want included; * just allows the attribute listed in any of those tags.

Submit Feedback on This Article

Your comments on how we can improve this article are appreciated; but please do not use the feedback form to submit support requests or question. We will not respond to or publish such queries submitted through this form. If you have a technical question or problem, visit Movable Type Support.

Six Apart
Makers of weblog software and services for individuals, organizations and businesses.
This website is powered by Movable Type.