Configuring User Generated Text Filtering
The action classes used for generating contents for user filters the value of the content fields.
In case of a normal
text field, all the special characters to define HTML markup such as &, <, > are converted into
entities and saved to database. Rich text field is dealt differently. They are cleaned by using the JTidy
library which converts the rich text field value into well formed XHTML. But it is also possible not to use JTidy
for cleaning. In that case, only &, <, > are converted into entities. To configure VCE to use
this basic cleaning, copy
$VCE_HOME/misc/siteconfig/com/escenic/community/RichTextFieldCleaner.properties
to
your local config and modify following:
tidyEnabled=false
Rich text field value is also looked for unwanted HTML tags and attributes to secure from XSS(Cross-site scripting) vulnerabilities. This way a user cannot put some JavaScript code or a <form> tag. By default, following tags and attributes are configured for the filtering:
filterElements=script,form,iframe filterAttributes=onload,onunload,onchange,onsubmit,onreset,onselect,onblur,onfocus,onkeydown,onkeypress,\ onkeyup,onclick,ondblclick,onmousedown,onmousemove,onmouseover,onmouseout,onmouseup
You can change the values of filterElements
and filterAttributes
in com/escenic/community/RichTextFieldCleaner.properties
in you local config. You can
also disable filtering of tags and attributes by setting the value of filterEnabled
property to false
.