A few features of the user interface, such as the deposit license text & some metadata fields, can be marked up using a subset of HTML.  This HTML subset is defined by Angular, as we use Angular's "[innerHtml]" property to display these HTML-based fields.

Angular automatically sanitizes any HTML passed to "[innerHtml]" in order to avoid XSS attacks.  See Angular docs at https://angular.io/guide/security#preventing-cross-site-scripting-xss

At this time, Angular does NOT have a formal reference of elements/attributes which are allowed, but we've compiled a list below of currently known acceptable elements. This list may change in later releases of Angular, but is currently maintained in Angular's "html_sanitizer.ts": https://github.com/angular/angular/blob/main/packages/core/src/sanitization/html_sanitizer.ts

As of the writing of this page, these HTML5 elements may be used:

• h1, h2, h3, h4, h5, h6
• p, div
• a
• img
• audio
• video
• map
• table-based elements (table, td, th, tr, etc)
• list-based elements (ol, ul, li, etc)
• other formatting elements (b, i, u, br, hr, small, font, etc)

Not all DSpace fields support HTML, but the User Interface should make it clear which fields do.  When adding HTML to a field, you should not create a complete HTML document (surrounded with "<html>" tags).  Just add an HTML fragment.