Skip to content
HubSpot Developer Changelog

XSS Sanitization for CRM properties containing HTML

Beginning on July 29th, updates to rich text CRM properties will have any HTML sanitized before the value is stored in HubSpot.


What's changing?

Updates to properties that contain HTML, including rich text properties and the body of note engagements, will have disallowed elements and attributes removed to reduce  the risk of XSS vulnerabilities before the value is stored in HubSpot.

For example, for a property that includes <script> tags in the value, the script tags would be removed:

  • Before: <b>Hello!</b><script>alert(cookie);</script>
  • After: <b>Hello!</b>

This process will also canonicalize the HTML to make the property value more closely resemble the HTML that would be set when a user updates a rich text property in HubSpot. This sanitization should not change how the HTML would be interpreted by a web browser. Also, the sanitization will not change how the HTML is displayed to a user when viewing the property in HubSpot, as this sanitization is already applied to the displayed value in the HubSpot CRM. 

Some examples of changes may include:

  • Tag element and attribute names will be lowercased (<B> will become <b>)
  • Self closing tags will have the ending slash removed (<br /> will become <br>)
  • Extra spaces between attributes will be removed (<a   href=...> will become <a href=...>)
  • Text nodes will be HTML-entity encoded (<3 HubSpot will become &lt;3 HubSpot)


  • Before: <B>SOME BOLD TEXT</B><br /><br />other text and a <a     href=>link</a><br /><br /> <3 HubSpot
  • After: <b>SOME BOLD TEXT</b><br><br>other text and a <a href="">link</a><br><br> &lt;3 HubSpot

This sanitization process happens before the value is stored in the property, which may happen after the value is accepted by HubSpot, depending on how that property update is sent to HubSpot. For example, form submissions sent using the Forms API may accept property values that would be sanitized before the value was stored for the CRM record. For updates made through the Contacts API, values that get sanitized will be accepted and result in an HTTP 200 response, with the sanitized value that is actually stored in the property value returned in any JSON response.


Why is this changing?

This change helps improve security for HubSpot users, by adding an additional safeguard against cross-site scripting issues where property values could be displayed, whether that's within the HubSpot CRM, displayed on a HubSpot website page using personalization tokens, or displayed separately through an integration.


When is this happening?

This sanitization process will apply to all rich text property updates beginning on July 29, 2024.

Please let us know if you have any questions by joining the discussion in our community.