V9.5
Overview
To protect HTML content against various attacks including cross-site scripting you must sanitize it. Using this functionality we enable our clients to have full control on the HTML content being displayed on Flowtime.
At present, HTML sanitization is enabled for Conversations View in Cora SeQuence. The HTML content saved in Cora SeQuence database, is sanitized before being fetched and displayed in the Conversations View, however, the actual content in the database remains unchanged.
HTML Sanitizer functionality is enabled by default with the deployment.
You can enable or disable this functionality from the HtmlSanitizationRules.xml file in the ~Shared Resources\Components\HtmlSanitizer folder in your system.
Sample HtmlSanitizationRules.xml file template
<?xml version="1.0"?>
<Rules enabled="true" allowDataAttributes="false" keepChildNodes="false">
<Tags clearDefaults="false">
<Allowed></Allowed>
<Restricted></Restricted>
</Tags>
<Attributes clearDefaults="false">
<Allowed>class,face</Allowed>
<Restricted></Restricted>
</Attributes>
<CssProperties clearDefaults="false" >
<Allowed></Allowed>
<Restricted></Restricted>
</CssProperties>
<AtRules clearDefaults="false" >
<Allowed></Allowed>
<Restricted></Restricted>
</AtRules>
<Schemes clearDefaults="false">
<Allowed>mailto,data</Allowed>
<Restricted></Restricted>
</Schemes>
<UriAttributes clearDefaults="false" >
<Allowed></Allowed>
<Restricted></Restricted>
</UriAttributes>
</Rules>XML Elements
| Element | Value | Description |
|---|---|---|
| enabled | true (default) false | Enables or disables HTML sanitization |
| allowDataAttributes | true false (default) | Allows usage of data attributes |
| keepChildNodes | true false (default) | Allows to keep intact the content from restricted nodes. |
In XML file, following are the default configuration elements and parameters supported.
Allowed attributes
background-clip, background-origin, background-size, border-bottom-left-radius, border-bottom-right-radius, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-radius, border-top-left-radius, border-top-right-radius, font-feature-settings, font-kerning, font-language-override, font-size-adjust, font-stretch, font-synthesis, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, outline-offset, overflow-wrap, overflow-x, overflow-y, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style
Allowed tags
a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr
Allowed CSS properties
background, background-attachment, background-color, background-image, background-position, background-repeat, border, border-bottom, border-bottom-color, border-bottom-style, border-bottom-width, border-collapse, border-color, border-left, border-left-color, border-left-style, border-left-width, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-size, font-style, font-variant, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-style, outline-width, overflow, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index
Allowed CSS at-rules
namespace, style
Allowed Uri schemes
http, https
Allowed Uri attributes
action, background, dynsrc, href, lowsrc, src
Customized sanitization rules
You can customize the HTML sanitization rules per your need by adding new rules to the HtmlSanitizationRules XML file.
NOTE
Do not modify the default HtmlSanitizationRules.xml file.
- Create a copy of the default HTML sanitization rules XML file in the following locations in your system, and rename the file.
For Administration:~\Administration\Shared Resources\Components\HtmlSanitizer
For Flowtime:~\Flowtime\Shared Resources\Components\HtmlSanitizer
- Add a key to the </appSettings>: section in web.config file, with new XML file name as value for this key.
<add key="PNMsoft.Sequence.Web.Security.HtmlSanitization.RuleFileName" value="new XML file name" />
