Embedding A Video

There may be situations where you would like to embed external media such as videos or other web-based html into your forms. This type of embedding can expose your forms to XSS vulnerabilities within your application.

To safely embed HTML, apply the Form.io Santize Config within your application settings. This code is a security mechanism that removes unsafe and potentially malicious content from raw HTML strings before presenting them to the end-user. Below is an example of applying the Sanitize Configuration to an embedded form within the application code. The video embed URL was applied to the Content component on the form level.

    window.onload = function() {
          sanitizeConfig: {
          allowedAttrs: ['ref', 'src', 'url', 'data-oembed-url'],
          allowedTags: ['iframe', 'oembed'],
          addTags: ['iframe', 'oembed'],
          addAttr: ['url', 'data-oembed-url']

Form.io utilizes the DOMPurify library to generate the sanitized configurations, please follow the link for more details.

Since the configuration is applied to the application code, the HTML will not render within the Form.io project, but will successfully display within the application for the end user.

Last updated