K13 CMSHtmlSanitizerAllowedAttributes wildcards working for some attributes but not uc-.*

Rory Aherne asked on March 12, 2026 14:02

Hi,

I have the following wildcards in my CMSHtmlSanitizerAllowedAttributes:

data-*
aria-*
uc-*

The first 2 work but the uc-* one still gets stripped. As a sanity test I took out the data-* which no longer worked so I could see my changes were being applied.

I also tried a non wildcard uc tag like uc-data and that didn't get stripped.

Is there something about uc tags related to kentico tracking that's overriding this?

I have nothing about allowed attributes in my froala config.js

I'm on the latest hotfix (v13.0.201)

Thanks,

Rory

Correct Answer

Laura Frese answered on March 27, 2026 19:58

The underlying library often does not support wildcards for custom prefixes. While data-* is hardcoded to work because it's a web standard, uc-* often fails silently

You will need to explicitly list every uc- attribute

Work around: add data- before uc. For example "data-uc-id"

Bad tip: CMSHtmlSanitizerAllowedAttributes value="*" , should allow UC to work but will open you up to attack so don't do that.

More complex: you can create a custom module that runs OnInit to override the default HtmlSanitizer HtmlSanitizer.DefaultAllowedAttributes.Add("uc-*")

1 votesVote for this answer Unmark Correct answer