Can anyone point me to a way to automate adding tool output to the HTML Rendered list, and what tools need to have their output on this list? Is there a best practices guide for this?
Welcome @psdavis
By default, and for security reasons, all HTML content created by tools is “sanitized”.
Configuration options in the docs → Configuration Options — Galaxy Project 24.2.1.dev0 documentation
Configuration options location → galaxy.yml (permalink in the code base)
# Sanitize all HTML tool output. By default, all tool output served
# as 'text/html' will be sanitized thoroughly. This can be disabled
# if you have special tools that require unaltered output. WARNING:
# disabling this does make the Galaxy instance susceptible to XSS
# attacks initiated by your users.
#sanitize_all_html: true
# Datasets created by tools listed in this file are trusted and will
# not have their HTML sanitized on display. This can be manually
# edited or manipulated through the Admin control panel -- see "Manage
# Allowlist"
# The value of this option will be resolved with respect to
# <managed_config_dir>.
#sanitize_allowlist_file: sanitize_allowlist.txt
When enabled, tools can be added to the server Allowlist and then HTML graphical content created by those tools can be rendered and displayed directly inside of Galaxy. This is something that you will probably want to manage directly and with a person, especially if your server is exposed on the internet. But you can set it to false of course!
How it works
Log into Galaxy with your admin account, click on the lower (red) Admin icon in the left navigation bar, then choose Manage Allowlist.
- All installed tools are initially listed in the first HTML Sanitized tab
- Each tool can be toggled into the HTML Rendered tab
- If the tool version is excluded from the
tool_idthen all versions will be captured and moved over (added with a direct change to yoursanitize_allowlist.txt, not via the UI).
XRef
Hopefully this helps but please let us know if it actually does or if you have any followup questions! 
Yes, but what tools need to be allowed so users can see the html output? It ends up looking like the galaxy service isn’t working to end users. With automated install of tools using ephemeris, is there also a tool that can mass whitelist output without whitelisting html output from all toolshed tools? Is it reasonable to just allow html from all toolshed installs?
Hi @psdavis
Leaving this as unsanitized by default carries security risks.
To find the tools with HTML output, you could review your tools tests? The datatype will be exactly html.
Let’s also see if our Admin chat has more ideas. Feel free to join now or later, too! You're invited to talk on Matrix
Thank you! I didn’t realize that.
Where can I find documentation on the format of sanitize_allowlist.txt? There doesn’t seem to be an example in the lib/galaxy/config/sample/ and all I can find in the docs is where to set the filename of the allow list if you want to change it.
1 Like
Hi @psdavis
We didn’t forget about you! 
We’ve added the Allowlist used at UseGalaxy.org to our repository where we publish examples of the config files for our server.
This is the example you requested. It was a good idea, thanks for following up about it!
- PR → Back up sanitize_allowlist to playbook · galaxyproject/usegalaxy-playbook@8f83894 · GitHub
- File → usegalaxy-playbook/env/main/files/galaxy/var/sanitize_allowlist.txt at main · galaxyproject/usegalaxy-playbook · GitHub
Hope this helps! You might be able to use this directly as a starting place, then layer in any tools you are hosting that we happen to not include. 
Awesome! Thanks!
1 Like