Configuring User Generated Text Filtering

The action classes used for generating contents for user filters the value of the content fields. In case of a normal text field, all the special characters to define HTML markup such as &, <, > are converted into entities and saved to database. Rich text field is dealt differently. They are cleaned by using the JTidy library which converts the rich text field value into well formed XHTML. But it is also possible not to use JTidy for cleaning. In that case, only &, <, > are converted into entities. To configure VCE to use this basic cleaning, copy $VCE_HOME/misc/siteconfig/com/escenic/community/RichTextFieldCleaner.properties to your local config and modify following:

tidyEnabled=false

Rich text field value is also looked for unwanted HTML tags and attributes to secure from XSS(Cross-site scripting) vulnerabilities. This way a user cannot put some JavaScript code or a <form> tag. By default, following tags and attributes are configured for the filtering:

filterElements=script,form,iframe
filterAttributes=onload,onunload,onchange,onsubmit,onreset,onselect,onblur,onfocus,onkeydown,onkeypress,\
    onkeyup,onclick,ondblclick,onmousedown,onmousemove,onmouseover,onmouseout,onmouseup

You can change the values of filterElements and filterAttributes in com/escenic/community/RichTextFieldCleaner.properties in you local config. You can also disable filtering of tags and attributes by setting the value of filterEnabled property to false .