Platform Explorer / Nuxeo Platform 2023.10

Component org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService

Documentation

The HTML Sanitizer Service sanitizes some HTML fields to remove potential cross-site scripting attack in them.

Resolution Order

376
The resolution order represents the order in which this component has been resolved by the Nuxeo Runtime framework.
You can influence this order by adding "require" tags in your component declaration, to make sure it is resolved after another component.

Start Order

850
The start order represents the order in which this component has been started by the Nuxeo Runtime framework.
This number is interesting to tweak if your Java component interacts with other components, and needs to be started before or after another one.
It can be changed by implementing the method "Component#getApplicationStartedOrder()" on your Java component: components are sorted according to this reference value, in increasing order.
The default value is 1000, and the repository initialization uses number 100. Negative values can also be used.

Implementation

Class: org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerServiceImpl

Services

Extension Points

Contributions

XML Source

<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService"
  version="1.0.0">

  <documentation>
    The HTML Sanitizer Service sanitizes some HTML fields
    to remove potential cross-site scripting attack in them.

    @author Florent Guillaume
  </documentation>

  <implementation
    class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerServiceImpl" />

  <service>
    <provide interface="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService" />
  </service>

  <extension-point name="sanitizer">
    <documentation>
      Specify the types of documents and fields to sanitize.

      The following example configures just based on field
      names:

      <code>
        <sanitizer name="foo">
          <field>note</field>
          <field>comment:text</field>
        </sanitizer>
      </code>

      The following specifies that only the note field of the Note type
      will be sanitized:

      <code>
        <sanitizer name="foo">
          <type>Note</type>
          <field>note</field>
        </sanitizer>
      </code>

      The following example disables a sanitizer:

      <code>
        <sanitizer name="default" enabled="false" />
      </code>

      Sanitizing can also be enabled on a field only if a field has a given value.
      This is useful when the same document field can contain text, html or wiki markup.
      For a webpage, you may want to only sanitize the webpages that are using HTML.
      Here is an example configuration.

     <code>
       <sanitizer name="foo">
         <field filter="webp:isRichtext" filterValue="true">webp:content</field>
       </sanitizer>
     </code>

     In this example the field webp:content will be sanitized only when
     the String representation of the webp:isRichtext is "true".

     If you want to <em>not</em> sanitize when a given value is present, use:

     <code>
       <sanitizer name="foo">
         <field filter="mime_type" filterValue="text/plain" sanitize="false">note</field>
       </sanitizer>
     </code>

    </documentation>
    <object
      class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerDescriptor" />
  </extension-point>

  <extension-point name="antisamy">
    <documentation>
      The following allows you to change the AntiSamy policy file:

      <code>
        <antisamy policy="some-file.xml"/>
      </code>
    </documentation>
    <object
      class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerAntiSamyDescriptor" />
  </extension-point>

  <extension target="org.nuxeo.ecm.core.event.EventServiceComponent"
    point="listener">
    <description>
      Listener that runs (very early) the HTML Sanitizer.
    </description>
    <listener name="htmlsanitizerlistener"
      class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerListener"
      postCommit="false" async="false" priority="-10">
    </listener>
  </extension>

</component>