40.10 Vibe Sanitizes HTML to Prevent Security Risks

Vibe 4.0.2 and later uses the OWASP HTML Sanitizer to allow or remove HTML elements, attributes, and CSS Style properties that OpenText regards as safe or unsafe, as explained in the following sections:

40.10.1 HTML Elements

The following HTML Elements are considered safe.

  • a
  • abbr
  • area
  • b
  • big
  • blockquote
  • br
  • caption
  • center
  • cite
  • code
  • dd
  • del
  • dfn
  • dir
  • div
  • dl
  • dt
  • em
  • figcaption
  • figure
  • font
  • h1
  • h2
  • h3
  • h4
  • h5
  • h6
  • hr
  • i
  • img
  • input
  • ins
  • kbd
  • li
  • map
  • o
  • ol
  • p
  • pre
  • q
  • s
  • samp
  • small
  • span
  • strike
  • strong
  • sub
  • sup
  • table
  • tbody
  • td
  • textarea
  • tfoot
  • th
  • thead
  • tr
  • tt
  • u
  • ul
  • var

You can configure your Vibe site to regard additional HTML elements as safe by doing the following:

  1. Using a text editor, add the following parameter with the elements you are adding, to the ssf-ext.properties file.

    html.safe.elements=Element1,Element2,Element3

  2. After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.

40.10.2 HTML Element Attributes

The following HTML Element Attributes are considered safe by default

  • abbr
  • acronym
  • align
  • alt
  • axis
  • bgcolor
  • border
  • cellpadding
  • cellspacing
  • char
  • charoff
  • class
  • color
  • colspan
  • compact
  • coords
  • dir
  • face
  • frame
  • haling
  • headers
  • height
  • href (on area elements)
  • hspace
  • id
  • lang
  • longdesc
  • name
  • nowrap
  • rel
  • rowspan
  • rules
  • scope
  • size
  • sortable
  • sorted
  • style
  • summary
  • target
  • title
  • type
  • usemap
  • valign
  • vspace
  • width

You can configure your Vibe site to regard additional HTML attributes as safe by doing the following:

  1. Using a text editor, add the following parameter with the attributes you are adding, to the ssf-ext.properties file.

    html.safe.attributes=Attribute1,Attribute2,Attribute3

  2. After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.

40.10.3 Conditional HTML Element Attributes

Vibe limits the following HTML elements as indicated.

href

  • Allowed on <a/> tags

  • Allowed URL protocols are http, https and mailto

src

  • Allowed on <img/> tags

  • Allowed URL protocols are http, https, mailto and data

  • For embedded images, allowed mime-types are:

    • data:image/jpeg;

    • data:image/png;

    • data:image/gif;

40.10.4 CSS Style Properties

The following is a list of CSS style properties in style attributes are considered safe.

  • -moz-border-radius
  • -moz-border-radius-bottomleft
  • -moz-border-radius-bottomright
  • -moz-border-radius-topleft
  • -moz-border-radius-topright
  • -moz-box-shadow
  • -moz-outline
  • -moz-outline-color
  • -moz-outline-style
  • -moz-outline-width
  • -o-text-overflow
  • -webkit-border-bottom-left-radius
  • -webkit-border-bottom-right-radius
  • -webkit-border-radius
  • -webkit-border-radius-bottom-left
  • -webkit-border-radius-bottom-right
  • -webkit-border-radius-top-left
  • -webkit-border-radius-top-right
  • -webkit-border-top-left-radius
  • -webkit-border-top-right-radius
  • -webkit-box-shadow
  • azimuth
  • background
  • background-attachment
  • background-color
  • background-image
  • background-position
  • background-repeat
  • border
  • border-bottom
  • border-bottom-color
  • border-bottom-left-radius
  • border-bottom-right-radius
  • border-bottom-style
  • border-bottom-width
  • border-collapse
  • border-color
  • border-left
  • border-left-color
  • border-left-style
  • border-left-width
  • border-radius
  • border-right
  • border-right-color
  • border-right-style
  • border-right-width
  • border-spacing
  • border-style
  • border-top
  • border-top-color
  • border-top-left-radius
  • border-top-right-radius
  • border-top-style
  • border-top-width
  • border-width
  • box-shadow
  • caption-side
  • color
  • cue
  • cue-after
  • cue-before
  • direction
  • display
  • elevation
  • empty-cells
  • float
  • font
  • font-family
  • font-size
  • font-stretch
  • font-style
  • font-variant
  • font-weight
  • height
  • image()
  • letter-spacing
  • line-height
  • linear-gradient()
  • list-style
  • list-style-image
  • list-style-position
  • list-style-type
  • margin
  • margin-bottom
  • margin-left
  • margin-right
  • margin-top
  • max-height
  • max-width
  • min-height
  • min-width
  • outline
  • outline-color
  • outline-style
  • outline-width
  • padding
  • padding-bottom
  • padding-left
  • padding-right
  • padding-top
  • pause
  • pause-after
  • pause-before
  • pitch
  • pitch-range
  • quotes
  • radial-gradient()
  • rect()
  • repeating-linear-gradient()
  • repeating-radial-gradient()
  • rgb()
  • rgba()
  • richness
  • speak
  • speak-header
  • speak-numeral
  • speak-punctuation
  • speech-rate
  • stress
  • table-layout
  • text-align"
  • text-decoration
  • text-indent
  • text-overflow
  • text-shadow
  • text-transform
  • text-wrap
  • unicode-bidi
  • vertical-align
  • voice-family
  • volume
  • white-space
  • width
  • word-spacing
  • word-wrap
  • z-index

You can configure your Vibe site to regard additional CSS Style Properties as safe by doing the following:

  1. Using a text editor, add the following parameter with the properties you are adding, to the ssf-ext.properties file.

    css.safe.properties=Property1,Property2,Property3

  2. After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.