Skip to content


Jérémie Astori edited this page Jul 11, 2016 · 4 revisions


Don't enable these options unless you trust every user who has the ability to edit the Wiki. A better solution with more security is being tracked in #665.


Gollum uses the Sanitize gem to filter out any potentially insecure HTML.

Default settings

Allowed HTML tags

a, abbr, acronym, address, area, b, big, blockquote, br, button, caption, center, cite, code, col, colgroup, dd, del, dfn, dir, div, dl, dt, em, fieldset, font, form, h1, h2, h3, h4, h5, h6, hr, i, img, input, ins, kbd, label, legend, li, map, menu, ol, optgroup, option, p, pre, q, s, samp, select, small, span, strike, strong, sub, sup, table, tbody, td, textarea, tfoot, th, thead, tr, tt, u, ul, var

Allowed HTML attributes

a href, abbr, accept, accept-charset, accesskey, action, align, alt, axis, border, cellpadding, cellspacing, char, charoff, class, charset, checked, cite, clear, cols, colspan, color, compact, coords, datetime, dir, disabled, enctype, for, frame, headers, height, hreflang, hspace, id, img src, ismap, label, lang, longdesc, maxlength, media, method, multiple, name, nohref, noshade, nowrap, prompt, readonly, rel, rev, rows, rowspan, rules, scope, selected, shape, size, span, start, summary, tabindex, target, title, type, usemap, valign, value, vspace, width

Allowed URL protocols

  • a href: http, https, mailto, ftp, irc, apt, :relative
  • img src: http, https, :relative
  • form action: http, https, :relative


To customize these settings, edit your config.rb file along the following lines (be sure to run gollum with the --config option):

sanitizer =
sanitizer.protocols['a']['href'].concat ['ssh', 'vnc'] # Protocols
sanitizer.elements.concat ['customtag1', 'customtag2'] # Tags
sanitizer.attributes['a'].push 'target' # Attributes
Precious::App.set(:wiki_options, {sanitization: sanitizer})
You can’t perform that action at this time.