Genpact Cora Knowledge Center

Support

Configure HTML Sanitization

V9.5

Overview

To protect HTML content against various attacks including cross-site scripting you must sanitize it. Using this functionality we enable our clients to have full control on the HTML content being displayed on Flowtime.

At present, HTML sanitization is enabled for Conversations View in Cora SeQuence. The HTML content saved in Cora SeQuence database, is sanitized before being fetched and displayed in the Conversations View, however, the actual content in the database remains unchanged.

HTML Sanitizer functionality is enabled by default with the deployment.
You can enable or disable this functionality from the HtmlSanitizationRules.xml file in the ~Shared Resources\Components\HtmlSanitizer folder in your system.

Sample HtmlSanitizationRules.xml file template

<?xml version="1.0"?>
<Rules enabled="true" allowDataAttributes="false" keepChildNodes="false">
    <Tags clearDefaults="false">
        <Allowed></Allowed>
        <Restricted></Restricted>
    </Tags>
    <Attributes clearDefaults="false">
        <Allowed>class,face</Allowed>
        <Restricted></Restricted>
    </Attributes>
    <CssProperties clearDefaults="false" >
        <Allowed></Allowed>
        <Restricted></Restricted>
    </CssProperties>
    <AtRules clearDefaults="false" >
        <Allowed></Allowed>
        <Restricted></Restricted>
    </AtRules>
    <Schemes clearDefaults="false">
        <Allowed>mailto,data</Allowed>
        <Restricted></Restricted>
    </Schemes>
    <UriAttributes clearDefaults="false" >
        <Allowed></Allowed>
        <Restricted></Restricted>
    </UriAttributes>
</Rules>

XML Elements

ElementValueDescription
enabledtrue (default)
false
Enables or disables HTML sanitization
allowDataAttributestrue
false (default)
Allows usage of data attributes
keepChildNodestrue
false (default)
Allows to keep intact the content from restricted nodes.


In XML file, following are the default configuration elements and parameters supported.

Allowed attributes

background-clip, background-origin, background-size, border-bottom-left-radius, border-bottom-right-radius, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-radius, border-top-left-radius, border-top-right-radius, font-feature-settings, font-kerning, font-language-override, font-size-adjust, font-stretch, font-synthesis, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, outline-offset, overflow-wrap, overflow-x, overflow-y, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style

Allowed tags

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr

Allowed CSS properties

background, background-attachment, background-color, background-image, background-position, background-repeat, border, border-bottom, border-bottom-color, border-bottom-style, border-bottom-width, border-collapse, border-color, border-left, border-left-color, border-left-style, border-left-width, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-size, font-style, font-variant, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-style, outline-width, overflow, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index

Allowed CSS at-rules

namespace, style

Allowed Uri schemes

http, https

Allowed Uri attributes

action, background, dynsrc, href, lowsrc, src

Customized sanitization rules

You can customize the HTML sanitization rules per your need by adding new rules to the HtmlSanitizationRules XML file. 

NOTE
Do not modify the default HtmlSanitizationRules.xml file.

  1. Create a copy of the default HTML sanitization rules XML file in the following locations in your system, and rename the file.
    For Administration:
    ~\Administration\Shared Resources\Components\HtmlSanitizer
    For Flowtime:
    ~\Flowtime\Shared Resources\Components\HtmlSanitizer
  2. Add a key to the </appSettings>: section in web.config file, with new XML file name as value for this key.
    <add key="PNMsoft.Sequence.Web.Security.HtmlSanitization.RuleFileName" value="new XML file name" />