• Sprint:
      Iteration 37, Iteration 38, Iteration 39, Iteration 40, Iteration 41
    • Type of Documentation:


      AntiSamy is a Java component that can sanitize HTML/CSS to eliminate potentially malicious JavaScript, it has a specification that must be followed:
      This development allows to apply different AntiSamy rules to different types of content, until now there were specific rules in the portal that could be applied or not, but with this development we allow to generate different rules and associate them to different classes of the portal.
      So now we can allow, for example, that KB articles have certain types of content (like iframes with videos) and prohibit that same type of content for comments.

      We have added a new menu option at System Settings - Security Tools - AntiSamy Sanitizer by Model to map the generated AntiSamy XML file to apply for each type of content (need to specify the name of the Class).
      Please note that if the object is whitelisted (at System Settings - Security Tools - AntiSamy Sanitizer), the configuration by model will not be taken into account.

      Now any developer has the option to generate a new AntiSamy file using Gradle, how to do this is explained in the next section.
      Also any file not generated with this Gradle tool could also be added, as long as it complies with the specification.
      Take into account that the AntiSamy files should be available at the AntiSamy bundle, so must be stored into: modules/apps/portal-security/portal-security-antisamy/src/main/resources/META-INF/resources

      In portal-security-antisamy module we have allowed to add a new task to generate new AntiSamy files, to generate a new file:
      1. Go to build.gradle at portal-security-antisamy
      2. Add a new task of type Copy for your new file:

      task processMyModelFileConfiguration(type: Copy)

      3. Create the task depending on the existing default task:

      processMyModelFileConfiguration {
      	dependsOn processDefaultSanitizerConfiguration
      	File sanitizerConfigurationFile = new File("src/main/resources/META-INF/resources/my-file-name-sanitizer-configuration.xml") // Filename
      	ext {
      		autoClean = false
      	filter {
      		return _filterMyFile(it) // Filter Method
      	from {
      	into sanitizerConfigurationFile.parentFile
      	onlyIf {
      	rename {

      4. Create your filter method where you can add, remove or modify the AntiSamy rules that you'll need always following the OWASP specification, note that the default file (sanitizer-configuration.xml) will be used and that you can work on the file line by line:

      private String _filterMyFile(String line) {
      	if (line.contains('<directive name="maxInputSize" value="20000"/>')) {
      		line = line.replace "20000", "99999"
      	return line

      5. Add your new task to the processResources task:

      dependsOn processMyModelFileConfiguration

      6. Execute using Gradle the resources task (gradlew processResources) and you'll obtain your new file, you can map it to a class model at System Settings - Security Tools - AntiSamy Sanitizer by Model

      How to register custom AntiSamy XML config for a model through a fragment

      It is possible to provide a custom XML for a given model through a fragment bundle. Here is an example for the WikiPage model:

      1. Create a fragment bundle project and put the the following into bnd.bnd:
        Bundle-Name: Liferay Portal Security AntiSamy Fragment
        Bundle-Version: 1.0.0
        Import-Package: !*
      2. Create a folder called configs in the project root and create the following file inside the folder:
      3. Create the following folder structure src/main/resources/META-INF/resources
      4. Put your custom XML into this folder called "wiki-sanitizer-configuration.xml"
      5. Create an empty build.gradle file in the project root
      6. Build & deploy the fragment
      7. Refresh (deactivate/activate) the Host Bundle ("Liferay Portal Security AntiSamy" - "") for example through the App Manager or restart the server


      • Your custom "AntiSamyClassNameConfiguration-blogs.config" file appears under "[Liferay Home]/osgi/configs"
      • A new "AntiSamy Sanitizer by Class Name" entry appears in the System Settings

      Here you can find the example project:

      Or use the provided artifacts:

      1. Start Portal/DXP
      2. Deploy
      3. Copy to [Liferay Home]/osgi/configs

      Note: When editing a Wiki Page, you need to change the format to "HTML" under the "Configuration" section on the edit screen, otherwise the AntiSamy Sanitizer won't be invoked.

      The code to be considered in this functionality are:


          Issue Links



              tibor.lipusz Tibor Lipusz
              nora.szel Nóra Szél
              Recent user:
              Zsigmond Rab
              Participants of an Issue:
              0 Vote for this issue
              1 Start watching this issue




                  Version Package