Watcher “watcher.actions.email.html.sanitization” table attributes

I construct email alerts in elasticsearch watcher using HTML and I have also configured to sanitize following html tags in elasticsearch.yml

watcher.actions.email.html.sanitization:
  allow: _tables, _blocks, _formatting, _links, _styles

But in my alerts, I see the table is constructed but the table attributes were not considered while constructing the table. For example, the border, cellpadding and colspan were never applied on my table. Table example given below

<table border='1' cellpadding='5' style='font-family:sans-serif;font-size:13px'><thead><tr><th>Type</th><th colspan='5'>Version</th></tr></thead><tbody> etc.

I can still achieve it by completely disabling the HTML sanitization like below, but it was not recommended as it involved security risks.

watcher.actions.email.html.sanitization.enabled: false

I have even tried to use allow: _tables:all, but it didn't work and it doesn't seem to be the right thing.

Is there a way to achieve it by enabling only few tags along with it's attributes?

Hey,

right now border and cellpadding attributes are always dropped. You can get the style attribute working by allowing _styles in the sanitizer config.

Will check if it makes sense to open up more attributes here.

--Alex

Yes, the style attribute works. Is colspan attribute too dropped for table?

Is there any documentation that says what attributes are considered and what not for HTML tags?

Hey,

right now colspan is dropped. I allowed it manually for the next release (together with rowspan and border for td/tr), however we will come up with a more generic solution in the future, so you can configure this yourself.

Our current idea is to allow the user to configure the tags and the allowed attributes for such a tag like a:href|class|id or a:_all - would that make sense and work for you?

--Alex

Yeah sure. It does make sense. Thanks for opening up more options.

And also it would be helpful for new users if the documentation is updated saying which attributes are dropped for which tags.

@spinscale Looks like <th> of <table> also won't render in watch alerts. Is this too dropped?

Hey,

th is supported. Can you provide an example, what is not working?

--Alex