UM Allowed HTML Tags

Ultimate Member Allowed HTML Tags Guide

Ultimate Member (UM) uses specific HTML "allow lists" to ensure site security while maintaining flexibility for user content. Depending on where the content is displayed (the context), UM applies different levels of sanitization using the wp_kses() function.

1. Templates Context (`#templates-list`)

Used in: Front-end Profile displays, Registration forms, and Member Directories.

This is the most permissive list. It allows for complex layouts, including forms, tables, and SVGs.

Version Change (v2.11.2+): The <iframe> tag is removed from this list by default for security.

Allowed Tags & Specific Attributes

In addition to the Global Attributes (see Section 3), these tags allow the following specific attributes:

Tag	Allowed Attributes
`<a>`	`href`, `rel`, `rev`, `name`, `target`, `download`
`<link>`	`rel`, `href`, `media`
`<svg>`	`xmlns`, `height`, `viewbox`, `width`, `fill`, `stroke`, `preserveaspectratio`
`<img>`	`src`, `srcset`, `alt`, `width`, `height`, `loading`, `border`, `hspace`, `vspace`
`<form>`	`action`, `method`, `name`, `target`, `enctype`, `novalidate`, `accept`, `accept-charset`
`<input>`	`type`, `name`, `value`, `placeholder`, `required`, `pattern`, `maxlength`, `minlength`, `size`, `step`, `min`, `max`, `readonly`, `disabled`, `checked`, `selected`, `autocomplete`
`<textarea>`	`cols`, `rows`, `disabled`, `name`, `readonly`, `required`, `autocomplete`, `placeholder`
`<table>`	`align`, `bgcolor`, `border`, `cellpadding`, `cellspacing`, `dir`, `rules`, `summary`, `width`
`<td>` / `<th>`	`abbr`, `align`, `axis`, `bgcolor`, `char`, `charoff`, `colspan`, `headers`, `height`, `nowrap`, `rowspan`, `scope`, `valign`, `width`
`<time>`	`datetime`

2. Admin Notices & WP-Admin Context

Used in: Dashboard notifications and UM Settings fields in the backend.

This context is highly restricted to prevent administrative-level XSS attacks. It generally permits basic formatting but strips all layout-altering tags like <div>, <section>, or <form>. While the tag list is restricted, the Global Attributes mentioned below still apply to these backend contexts.

Supported Global Attributes

Applies to: All UM Custom Contexts (templates, wp-admin, and admin_notices).

For these specific contexts, UM merges the tag-specific attributes listed above with the following WordPress global attributes. If an attribute is not on this list or the specific tag list, it will be removed.

Identification: id, class
Styling: style
Metadata: title, lang, dir, xml:lang
Accessibility: role, aria-controls, aria-current, aria-describedby, aria-details, aria-expanded, aria-hidden, aria-label, aria-labelledby, aria-live
Custom Data: data-* (All attributes starting with data- are permitted)
Visibility: hidden

Reference: Biography Context (`user_description`)

Used in: The native WordPress "Biographical Info" field.

As of v2.11.2, this context is strictly limited to the WordPress Native allowed tags. Ultimate Member does not add custom changes to this list; we adopt the standard WordPress security defaults for this field.

Important: Attribute Restriction

Unlike the Templates context, the Biography context does not support global attributes like class, id, or style. Only the attributes explicitly listed as tag attributes below are permitted. Any others will be automatically stripped.

<a>: Available only with href, title, rel, target.
<abbr> / <acronym>: Available only with title.
<blockquote> / <q>: Available only with cite.
<del>: Available only with datetime.
Formatting only (No attributes permitted): <b>, <cite>, <code>, <em>, <i>, <s>, <strike>, <strong>.

Version History & Key Changes

Version	Change Description
v2.11.2	`<iframe>` removed from the default Templates list.
v2.11.2	`user_description` (Biography) switched from UM Templates list to strict WP Native list.
v2.11.3	Introduced `um_sanitize_form_submission` filter for custom field-level overrides.