AntiSamy Directives

This page explains the purpose of the "directives" in AntiSamy policy files. It contains default values for the main example policy file antisamy.xml and for a scenario with no directives (code defaults). Directives supported by AntiSamy .Net may be slightly different.

Directive	Type	Default policy value	Default code value	Supported in AntiSamy Java?	Supported in AntiSamy .Net?
useXHTML When this feature is on, AntiSamy will output the sanitized data in XHTML format as opposed to just regular HTML.	boolean	true	false	Yes	Yes
omitXMLDeclaration When "useXHTML" is turned on, AntiSamy will automatically prepend the XML header. Enabling this feature will tell AntiSamy not to do that.	boolean	true	false	Yes	Yes
omitDoctypeDeclaration Enabling this feature will tell AntiSamy to not prepend the <!DOCTYPE html ...> initial tag.	boolean	true	false	Yes	Yes
formatOutput When enabled, AntiSamy will automatically format the output according to some basic rules and indentation. Kind of like "pretty print."	boolean	true	false	Yes	No
maxInputSize This directive specifies the maximum size (in bytes) of user input before its validated.	integer	200K	100K	Yes	Yes
embedStyleSheets When the developer chooses to allow CSS, this directive will specify whether or not remote stylesheets found referenced in the user's input will be pulled down and embedded into the current user input.	boolean	false	false	Yes	Yes
maxStyleSheetImports This feature allows developers to specify how many remote stylesheets can be downloaded from any one input.	integer	3	1	Yes	Yes
connectionTimeout When "embedStyleSheets" is enabled, this timeout value (in milliseconds) will be used when fetching the offsite resource in question. This should be used to prevent validation threads from blocking when connecting to 3rd party systems that may purposefully act really, really slowly.	integer	5K	1K	Yes	Yes
preserveComments When enabled, AntiSamy will keep HTML comments supplied in the input.	boolean	false	false	Yes	Yes
nofollowAnchors When enabled, AntiSamy will append rel="nofollow" attributes to all anchor (<a>) tags supplied in the input. This is useful for telling search engines not to associate your site with sites that are under the control of your users.	boolean	true	false	Yes	Yes
noopenerAndNoreferrerAnchors When enabled, AntiSamy will append rel="noopener noreferrer" attributes to all anchor (<a>) tags supplied in the input only if they have the target="_blank" attribute. This is useful for preventing reverse tabnabbing attacks.	boolean	false	false	Yes	Yes
validateParamAsEmbed When enabled, AntiSamy will treat attributes of <embed> tags in the policy the same as any <param> tags nested inside the the <embed>. This allows users to, according to policy, pass in data in either of those two methods with equal security. This is needed for sites that allow users to supply videos, etc.	boolean	true	false	Yes	Yes
preserveSpace When enabled, this feature is intended to preserve spaces as specified in the input without normalization. Right now it works as implemented by this method.	boolean	false	false	Yes	Yes
entityEncodeIntlChars When enabled, AntiSamy will entity-encode international characters, e.g. ä will be encoded as &auml;.	boolean	false	false	Yes	Yes
onUnknownTag Action to perform when AntiSamy encounters an unknown HTML tag. Current supported values: encode. Default behavior is to filter.	string			Yes	Yes
allowDynamicAttributes When enabled, AntiSamy loads attributes from the <dynamic-tag-attributes> policy section. An example is "data-" attributes which share that prefix on their name.	boolean	true	false	Yes	Yes