Merge pull request #7216 from umbraco/cms/client-side-sanitization-clarification

eshanrnh · web-flow · commit 7622606bc166 · 2025-07-04T14:15:37.000+02:00
Further detail on client-side validation in TinyMCE
diff --git a/13/umbraco-cms/reference/security/serverside-sanitizing.md b/13/umbraco-cms/reference/security/serverside-sanitizing.md
@@ -4,7 +4,9 @@ description: This section describes how to sanitize the Rich Text Editor servers
 
 # Sanitizing the Rich Text Editor
 
-The Rich Text Editor is sanitized on the frontend by default, however, you may want to do this serverside as well. The libraries that are out there tend to have strict dependencies. That is why we will leave it up to you how you want to sanitize the HTML.
+With default Umbraco settings, the Rich Text Editor is partially sanitized on the frontend.  However, server-side sanitization may also be desired, and an extension point is available for this purpose.
+
+Libraries for this are available but tend to have strict dependencies that make them unsuitable for shipping with Umbraco. Clients will also have different requirements for how strict they want the sanitization to be.  For these reasons, it's left to the implementer to determine how HTML should be sanitized.
 
 ## Implementing your own IHtmlSanitizer
 
@@ -88,3 +90,7 @@ public class SanitizerComposer : IComposer
 ```
 
 With your custom sanitizer in place the Rich Text Editor will always contain the "Sanitized HTML" heading. This shows that everything is working as expected, and that whatever your sanitizer returns is what will be saved.
+
+## Client side validation
+
+As mentioned, when using TinyMCE as the rich text editor, there is client-side sanitization available.  You can tighten this up further by removing elements and attributes you don't need from the [list of allowed elements](https://docs.umbraco.com/umbraco-cms/13.latest/reference/configuration/richtexteditorsettings#valid-elements).
diff --git a/15/umbraco-cms/reference/security/serverside-sanitizing.md b/15/umbraco-cms/reference/security/serverside-sanitizing.md
@@ -4,7 +4,9 @@ description: This section describes how to sanitize the Rich Text Editor servers
 
 # Sanitizing the Rich Text Editor
 
-The Rich Text Editor is sanitized on the frontend by default, however, you may want to do this serverside as well. The libraries that are out there tend to have strict dependencies. That is why we will leave it up to you how you want to sanitize the HTML.
+With default Umbraco settings, the Rich Text Editor is partially sanitized on the frontend.  However, server-side sanitization may also be desired, and an extension point is available for this purpose.
+
+Libraries for this are available but tend to have strict dependencies that make them unsuitable for shipping with Umbraco. Clients will also have different requirements for how strict they want the sanitization to be.  For these reasons, it's left to the implementer to determine how HTML should be sanitized.
 
 ## Implementing your own IHtmlSanitizer
 
@@ -88,3 +90,7 @@ public class SanitizerComposer : IComposer
 ```
 
 With your custom sanitizer in place the Rich Text Editor will always contain the "Sanitized HTML" heading. This shows that everything is working as expected, and that whatever your sanitizer returns is what will be saved.
+
+## Client side validation
+
+As mentioned, when using TinyMCE as the rich text editor, there is client-side sanitization available.  You can tighten this up further by removing elements and attributes you don't need from the [list of allowed elements](https://docs.umbraco.com/umbraco-cms/13.latest/reference/configuration/richtexteditorsettings#valid-elements).
