Component org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService
In bundle org.nuxeo.ecm.platform.htmlsanitizer
Documentation
The HTML Sanitizer Service sanitizes some HTML fields to remove potential cross-site scripting attack in them.
Resolution Order
376
The resolution order represents the order in which this component has been resolved by the Nuxeo Runtime
framework.
You can influence this order by adding "require" tags in your component declaration, to make sure it is resolved after another component.
Start Order
850
The start order represents the order in which this component has been started by the Nuxeo Runtime framework.
This number is interesting to tweak if your Java component interacts with other components, and needs to be started before or after another one.
It can be changed by implementing the method "Component#getApplicationStartedOrder()" on your Java component: components are sorted according to this reference value, in increasing order.
The default value is 1000, and the repository initialization uses number 100. Negative values can also be used.
Implementation
Class:
org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerServiceImpl
Services
Extension Points
Contributions
XML Source
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService"
version="1.0.0">
<documentation>
The HTML Sanitizer Service sanitizes some HTML fields
to remove potential cross-site scripting attack in them.
@author Florent Guillaume
</documentation>
<implementation
class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerServiceImpl" />
<service>
<provide interface="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerService" />
</service>
<extension-point name="sanitizer">
<documentation>
Specify the types of documents and fields to sanitize.
The following example configures just based on field
names:
<code>
<sanitizer name="foo">
<field>note</field>
<field>comment:text</field>
</sanitizer>
</code>
The following specifies that only the note field of the Note type
will be sanitized:
<code>
<sanitizer name="foo">
<type>Note</type>
<field>note</field>
</sanitizer>
</code>
The following example disables a sanitizer:
<code>
<sanitizer name="default" enabled="false" />
</code>
Sanitizing can also be enabled on a field only if a field has a given value.
This is useful when the same document field can contain text, html or wiki markup.
For a webpage, you may want to only sanitize the webpages that are using HTML.
Here is an example configuration.
<code>
<sanitizer name="foo">
<field filter="webp:isRichtext" filterValue="true">webp:content</field>
</sanitizer>
</code>
In this example the field webp:content will be sanitized only when
the String representation of the webp:isRichtext is "true".
If you want to <em>not</em> sanitize when a given value is present, use:
<code>
<sanitizer name="foo">
<field filter="mime_type" filterValue="text/plain" sanitize="false">note</field>
</sanitizer>
</code>
</documentation>
<object
class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerDescriptor" />
</extension-point>
<extension-point name="antisamy">
<documentation>
The following allows you to change the AntiSamy policy file:
<code>
<antisamy policy="some-file.xml"/>
</code>
</documentation>
<object
class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerAntiSamyDescriptor" />
</extension-point>
<extension target="org.nuxeo.ecm.core.event.EventServiceComponent"
point="listener">
<description>
Listener that runs (very early) the HTML Sanitizer.
</description>
<listener name="htmlsanitizerlistener"
class="org.nuxeo.ecm.platform.htmlsanitizer.HtmlSanitizerListener"
postCommit="false" async="false" priority="-10">
</listener>
</extension>
</component>