REST API output sanitization removes or encodes data returned by requests, thus reducing security risks. Output sanitization is enabled by default. You can disable it or configure the feature using site parameters.

You can configure HTML sanitization for the values of fields of various collections in the project customization interface. You can select:

• Do nothing - return the value as it is stored in the database.
• Text encoding - values are HTML encoded. Used especially with text fields.
• HTML sanitization - value is sanitized according to a predefined whitelist.

For more information about site-level and field-level configuration, search for "sanitization" in the Application Lifecycle Management Administrator Guide.

Data to be sanitized must be inside the <html> and <body> tags of a valid HTML document. Otherwise, a tag might be sanitized even though it is allowed by the whitelist.

If data cannot be stored as a valid HTML document, you can prevent unwanted sanitizing by configuring the specific field for no sanitation. Consider the security implications before doing this.

HTML Sanitization

There is a default HTML sanitization whitelist. You can override the defaults by configuring HTML sanitization at the level of protocols, tags, and attributes using a custom HTML sanitizer whitelist. See Output Sanitization Whitelist.

The tags and attributes specified in the whitelist are returned without change.

Tags that are not in the whitelist are HTML encoded. For example, if tag <abc> is in the field value, but tag abc is not in the whitelist, the returned value is <abc>.

Attributes not in the whitelist are removed, even if they are attributes of a tag that is in the whitelist. For example:
The field value contains <img src="http://mypage.com/1.jpg" onClick="alert('a');" />. The img tag and the src attribute of img are in the whitelist, but the onClick attribute is not. onClick is stripped and the return value is <img src="http://mypage.com/1.jpg" />.

Attributes that reference a protocol that is not in the whitelist are removed, even if the attributes and tag are in the whitelist. For example:
The field value contains <img src="ftp://mypage.com/1.jpg" />. The img tag and the src attribute of img are in the whitelist, but the ftp protocol is not. src is stripped and the return value is <img />.

The default whitelist allows <img src=””…/> in the http and https protocols. For more strict sanitization, provide a custom whitelist.