HTML Support
QA Sphere provides rich text formatting capabilities for certain fields in the API through HTML support. The API automatically sanitizes HTML content in requests to ensure security while preserving formatting capabilities. This sanitization process:
- Allows a carefully curated subset of HTML elements and attributes
- Removes any unsupported HTML tags, attributes, JavaScript, and other potentially malicious content
- Preserves safe formatting and structure for rich text content
Supported HTML Elements
The following HTML elements are supported and will be preserved during sanitization:
Text Formatting
<strong>- Bold text<em>- Italic text<u>- Underlined text<s>- Strikethrough text<code>- Inline code formatting
Headings
<h1>through<h6>- All heading levels
Structure and Layout
<p>- Paragraphs<br>- Line breaks<hr>- Horizontal rules<blockquote>- Block quotes<pre>- Preformatted text
Lists
<ul>- Unordered lists<ol>- Ordered lists<li>- List items
Links and Media
<a>- Hyperlinks<img>- Images<video>- Video elements
Tables
<table>- Table container<tbody>- Table body<tr>- Table rows<th>- Table headers<td>- Table cells<col>- Table columns<colgroup>- Column groups
Supported Attributes
Only specific attributes are allowed on certain elements:
Links (<a>)
href- Link destination (parsable http/https URLs only)target- Link target (security attributes are automatically added)rel- Link relationship (nofollowis automatically added for security)
Images and Videos (<img>, <video>)
src- Media source URL (http/https URLs only)width- Element width
Tables (<th>, <td>)
colspan- Column spanrowspan- Row span
Tables (<table>, <col>)
style- Limited tomin-widthproperty only
Fields That Support HTML
The following API request fields accept HTML content and are automatically sanitized:
- Create Result: Result
comment - Create Run: Run
description - Clone Run: Run
description - Update Test Case: Test case
commentfield anddescription/expectedfields of individual steps
Examples
Basic Text Formatting
<p>
This test case requires <strong>careful attention</strong> to the
<em>user interface</em> elements.
</p>
Lists and Structure
<p>Test prerequisites:</p>
<ol>
<li>User must be <strong>logged in</strong></li>
<li>Account must have <em>admin privileges</em></li>
<li>Database must be in <code>test mode</code></li>
</ol>
Links and References
<p>
For more information, see the
<a href="https://example.com/docs" target="_blank">API documentation</a>.
</p>
Tables
<table style="min-width: 300px">
<tbody>
<tr>
<th colspan="2">Test Results Summary</th>
</tr>
<tr>
<td><strong>Passed</strong></td>
<td>25</td>
</tr>
<tr>
<td><strong>Failed</strong></td>
<td>3</td>
</tr>
</tbody>
</table>
Removed Content
<!-- Input -->
<p onclick="alert('xss')">paragraph with click handler</p>
<!-- click handler is removed -->
<script>
alert('malicious')
</script>
<!-- script tag is not allowed -->
<div>normal div</div>
<!-- div tag is not allowed -->
<p class="bold">paragraph with class</p>
<!-- class attribute is not allowed -->
<!-- Output (sanitized) -->
<p>paragraph with click handler</p>
normal div
<p>paragraph with class</p>
Malformed HTML Behavior
When HTML content is malformed (such as missing opening/closing tags or unmatched quotes), the sanitization process may produce unexpected results:
- Missing closing tags: Content may be restructured or truncated
- Unmatched quotes: Attributes may be removed entirely
- Invalid nesting: Elements may be reordered or removed
- Unknown elements: Completely stripped from output
Always validate your HTML structure before sending it to the API to ensure predictable results.