Type: Technical Documentation
Affects Version/s: None
Component/s: Application Security > AntiSamy
Sprint:Iteration 37, Iteration 38, Iteration 39, Iteration 40, Iteration 41
Type of Documentation:Developer
This development allows to apply different AntiSamy rules to different types of content, until now there were specific rules in the portal that could be applied or not, but with this development we allow to generate different rules and associate them to different classes of the portal.
So now we can allow, for example, that KB articles have certain types of content (like iframes with videos) and prohibit that same type of content for comments.
We have added a new menu option at System Settings - Security Tools - AntiSamy Sanitizer by Model to map the generated AntiSamy XML file to apply for each type of content (need to specify the name of the Class).
Please note that if the object is whitelisted (at System Settings - Security Tools - AntiSamy Sanitizer), the configuration by model will not be taken into account.
Now any developer has the option to generate a new AntiSamy file using Gradle, how to do this is explained in the next section.
Also any file not generated with this Gradle tool could also be added, as long as it complies with the specification.
Take into account that the AntiSamy files should be available at the AntiSamy bundle, so must be stored into: modules/apps/portal-security/portal-security-antisamy/src/main/resources/META-INF/resources
In portal-security-antisamy module we have allowed to add a new task to generate new AntiSamy files, to generate a new file:
1. Go to build.gradle at portal-security-antisamy
2. Add a new task of type Copy for your new file:
3. Create the task depending on the existing default task:
4. Create your filter method where you can add, remove or modify the AntiSamy rules that you'll need always following the OWASP specification, note that the default file (sanitizer-configuration.xml) will be used and that you can work on the file line by line:
5. Add your new task to the processResources task:
6. Execute using Gradle the resources task (gradlew processResources) and you'll obtain your new file, you can map it to a class model at System Settings - Security Tools - AntiSamy Sanitizer by Model
It is possible to provide a custom XML for a given model through a fragment bundle. Here is an example for the WikiPage model:
- Create a fragment bundle project and put the the following into bnd.bnd:
- Create a folder called configs in the project root and create the following file inside the folder:
- Create the following folder structure src/main/resources/META-INF/resources
- Put your custom XML into this folder called "wiki-sanitizer-configuration.xml"
- Create an empty build.gradle file in the project root
- Build & deploy the fragment
- Refresh (deactivate/activate) the Host Bundle ("Liferay Portal Security AntiSamy" - "com.liferay.portal.security.antisamy") for example through the App Manager or restart the server
- Your custom "AntiSamyClassNameConfiguration-blogs.config" file appears under "[Liferay Home]/osgi/configs"
- A new "AntiSamy Sanitizer by Class Name" entry appears in the System Settings
Here you can find the example project: https://github.com/lipusz/liferay-portal/tree/LPS-112978/modules/apps/portal-security/portal-security-antisamy-fragment
Or use the provided artifacts:
- Start Portal/DXP
- Deploy com.liferay.portal.security.antisamy.fragment-1.0.0.jar
- Copy com.liferay.portal.security.antisamy.configuration.AntiSamyClassNameConfiguration-wiki.config to [Liferay Home]/osgi/configs
Note: When editing a Wiki Page, you need to change the format to "HTML" under the "Configuration" section on the edit screen, otherwise the AntiSamy Sanitizer won't be invoked.
The code to be considered in this functionality are: