This document lists the HTML codes that are permissible in Canvas. When creating custom HTML coding in Canvas, certain HTML codes do not work upon saving. This is because Canvas only supports certain HTML elements for security reasons. This also applies to content copied and pasted from an external source.
Allowed HTML Tags
- abbr
- acronym
- address
- area
- article
- aside
- audio
- b
- bdo
- big
- blockquote
- br
- caption
- cite
- code
- col
- colgroup
- dd
- del
- details
| - dfn
- div
- dl
- dt
- em
- embed
- figure
- figcaption
- footer
- h1
- h2
- h3
- h4
- h5
- h6
- header
- hr
- i
- img
- ins iframe
| - kbd
- legend
- li
- map
- mark
- nav
- object
- ol
- p
- param
- picture
- pre
- q
- ruby
- rp
- rt
- samp
- section
- small
- span
| - strike strong
- sub
- summary
- sup
- table
- tbody
- td
- tfoot
- th
- thead
- time
- tr
- track
- tt
- u
- ul
- var
- video
|
MathML tags
- annotation-xml
- maction
- maligngroup
- malignmark
- math
- menclose
- merror
- mfenced
- mfrac
- mglyph
- mi
- mlabeledtr
- mlongdiv
- mmultiscripts
- mn
- mo
- mover
- mpadded
- mphantom
- mprescripts
- mroot
- mrow
| - ms
- mscarries
- mscarry
- msgroup
- msline
- mspace
- msqrt
- msrow
- mstack
- mstyle
- msub
- msubsup
- msup
- mtable
- mtd
- mtext
- mtr
- munder
- munderover
- none
- semantics
- mark
|
Note: The annotation-xml element is allowed but only with non-HTML encodings. When its encoding attribute is text/html or application/xhtml+xml, the entire element is replaced with an empty text node.
Allowed Attributes on HTML Elements
all elements allow style, class, id, title, role, lang, dir, aria
Element | Allowed Attribute(s) |
|---|
a | href, target, name |
abbr | title |
area | alt, coords, href, shape, target |
audio | name, src, muted, controls, track |
blockquote | cite |
col | span, width |
colgroup | span, width |
embed | allowfullscreen, allowscriptaccess, height, name, pluginspage, src, type, width, wmode |
font | deprecated: do not use in new content face, color, size |
img | align, alt, height, src, title, usemap, width |
iframe | src, width, height, name, align, allowfullscreen, frameborder, scrolling, sandbox, loading, allow |
map | name |
object | classid, codebase, data, height, type, width |
ol | start, type |
param | name, value |
q | cite |
source | height, media, sizes, src, srcset, type, width |
table | summary, width, border, cellpadding, cellspacing, center, frame, rules |
tr | align, valign, dir |
td | abbr, axis, colspan, rowspan, width, align, valign, dir |
th | abbr, axis, colspan, rowspan, width, align, valign, dir, scope |
ul | type |
video | name, src, allowfullscreen, muted, poster, width, height, controls, playsinline, track |
Note: The following data attributes are stripped:
- data-url
- data-method
- data-remove
- data-remote
- data-confirm
- data-disable-with
Arbitrary other data-* attributes (e.g. data-my-custom-field) are allowed.
Allowed protocols for some elements
ftp, http, https, mailto, tel
http, https
- blockquote cite
- img src
- q cite
- object data
- embed src
- iframe src
- style any
Allowed style properties
- background
- border
- border-radius
- box
- clear
- color
- cursor
- direction
- display
- flex
- float
- font
- grid
| - height
- layout
- list-style
- margin
- max-height
- max-width
- min-height
- min-width
- overflow
- overflow-x
- overflow-y
- padding
- position
| - right
- text-align
- table-layout
- text-decoration
- text-indent
- top
- vertical-align
- visibility
- white-space
- width
- z-index
- zoom
|
The position property is allowed only with the values static, relative, absolute, and the CSS keyword resets (initial, inherent, unset, revert, revert-layer). The values fixed and sticky are silently removed for security reasons (they allow content to overlay Canvas UI).
This resource can also be accessed from the following Canvas Guides: