I am trying to add an HTML attribute in the SanitizeHTML: "dir=rtl" but it keeps getting ignored by the browser.


If i add it directly in the inspector it works great, if i change other attributes such as bg i can also see the change, but the dir is never shown in the inspector. Am i missing something? I know dir attribute has some limitations in html4 but i am working on html5, so whats the deal?

Solution

Hi Jt,

I think you just need to sanitizeHtml for the injected variables in your case sanitizeHtml(BodyText1), sanitizeHtml(BodyText2) and sanitizeHtml(BodyText3).

Also recommend Use double ("") rather than single quotation marks ('') around attribute values.


Best regards,

Diogo Gomes

Solution

Hello Diogo, thank you for the reply.

This the code I am currently using:

SyntaxEditor Code Snippet

SanitizeHtml("<table width='100%' dir='rtl' align='center' cellspacing='0' cellpadding='0' style=' border-collapse: collapse; border-radius:0px 0px 6px 6px; background-color: rgb(255,255,255); box-shadow: 0 2px 10px 0 rgba(0, 0, 0, 0.04);'>
                                                                            <tbody>
                                                                                <tr>
                                                                                    <td align='left' id='bodyContent' valign='top' style='padding-bottom: 32px; width:751px;'>

                                                                                        <p class='EmailContainer' style='margin: 0px; padding: 0px; text-align: center; letter-spacing: normal; font-size: 14px;'>"+BodyText1+"</p>
                                                                                        </br>" + "
                                                                                        <p class='EmailContainer' style='margin: 0px; padding: 0px; text-align: center; letter-spacing: normal; font-size: 14px;'>"+BodyText2+"</p>
                                                                                        </br>" + "
                                                                                        <p class='EmailContainer' style='margin: 0px; padding: 0px; text-align: center; letter-spacing: normal;  font-size: 14px;'>"+BodyText3+"</p>
                                                                                    
                                                                                    </td>
                                                                                </tr>
                                                                            </tbody>
                                                                        </table>")


So what you are saying is, i only need Sanitize Html for the variable instead of the whole html? i can give that a try, but that still doesn't explain why dir is left behind...

Hi JT,


The sanitize does not allow injection because it replaces some character with others, you can see what it does to your code if you assign it to a text variable and then sanitize that text.


Best Regards,

Diogo Gomes

So i got it working by removing the SanitizeHtml, however, i can not find a way to sanitize the variables inside the html code. But to be honest, i don't think in this particular case to be necessary.