Share this page
Output Sanitization Whitelist
To specify which tags, attributes, and protocols are returned as-is when using HTML sanitization, create a custom whitelist file named sanitizer-whitelist.xml. Place the file in directory:
%ALM_INSTALL_DIR%/Micro Focus/ALM/webapps/qcbin/WEB-INF/classes/The default paths are:
- Windows platforms -
C:\ProgramData\Micro Focus\ALM\webapps\qcbin\WEB-INF\classes\ - Linux platforms -
/var/opt/Micro Focus/ALM/webapps/qcbin/WEB-INF/classes/
The whitelist takes effect when the service is restarted.
In a cluster environment, put the whitelist on each node.
The whitelist contains three collections.
- The tags collection contains the tags that are returned unchanged. The contents of the element for a tag may change if there are attributes or protocols that are not themselves whitelisted.
- The attributes collection contains lists of the attributes allowed for each specified tag.
- The protocols collection contains lists of the protocols allowed for each specified tag-attribute pair.
Sample sanitizer-whitelist.xml<root> <tags> <!-- Collection of tags not changed by sanitizer. Content of elements may still be changed if contained attributes and protocols are not whitelisted. Tags not in this collection are HTML encoded so they are rendered by browser as plain text. --> <tag>html</tag> <tag>head</tag> <tag>meta</tag> <tag>body</tag> <tag>a</tag> <tag>b</tag> </tags> <attributes> <!-- Collection of attributes not removed by sanitizer if they are used in the specified tag. For example, in this definition, in a "meta" element, only the attributes "http-equiv" and "content" are allowed. Input: <meta content="INDEX,NOFOLLOW" name="my_meta"/> Output: <meta content="INDEX,NOFOLLOW" /> Attributes defined for the special tag ":all" are allowed for any tag in the "tags" collection. --> <attribute tag=":all"> <value>style</value> <value>class</value> <value>align</value> </attribute> <attribute tag="meta"> <value>http-equiv</value> <value>content</value> </attribute> </attributes> <protocols> <!-- Collection of protocols not removed by sanitizer if they are used in the specified attribute and tag. For example, in this definition, in the "src" attribute of an "img" element, only "http" and "https" are allowed. Input: <img src="http://somewebsite.com/a.png" /> Output: <img src="http://somewebsite.com/a.png" /> Input: <img src="ftp://somewebsite.com/a.png" /> Output: <img /> --> <protocol tag="img" attribute="src"> <value>http</value> <value>https</value> </protocol> <protocol tag="a" attribute="href"> <value>http</value> <value>https</value> <value>mailto</value> </protocol> </protocols> </root>
Sanitizer-whitelist Schema<?xml version="1.0" encoding="UTF-8"?> <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="root" type="rootType"/> <xs:complexType name="tagsType"> <xs:sequence> <xs:element type="xs:string" name="tag" maxOccurs="unbounded" minOccurs="0"/> </xs:sequence> </xs:complexType> <xs:complexType name="protocolType"> <xs:sequence> <xs:element type="xs:string" name="value" maxOccurs="unbounded" minOccurs="0"/> </xs:sequence> <xs:attribute type="xs:string" name="tag" use="required"/> <xs:attribute type="xs:string" name="attribute" use="required"/> </xs:complexType> <xs:complexType name="rootType"> <xs:sequence> <xs:element type="tagsType" name="tags"/> <xs:element type="attributesType" name="attributes"/> <xs:element type="protocolsType" name="protocols"/> </xs:sequence> </xs:complexType> <xs:complexType name="attributesType"> <xs:sequence> <xs:element type="attributeType" name="attribute" maxOccurs="unbounded" minOccurs="0"/> </xs:sequence> </xs:complexType> <xs:complexType name="attributeType"> <xs:sequence> <xs:element type="xs:string" name="value" maxOccurs="unbounded" minOccurs="0"/> </xs:sequence> <xs:attribute type="xs:string" name="tag" use="required"/> </xs:complexType> <xs:complexType name="protocolsType"> <xs:sequence> <xs:element type="protocolType" name="protocol" maxOccurs="unbounded" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:schema>
See Also
