40.10 Vibe Sanitizes HTML to Prevent Security Risks

Vibe 4.0.2 and later uses the OWASP HTML Sanitizer to allow or remove HTML elements, attributes, and CSS Style properties that OpenText regards as safe or unsafe, as explained in the following sections:

40.10.1 HTML Elements

The following HTML Elements are considered safe.

a
abbr
area
b
big
blockquote
br
caption
center
cite
code
dd
del

dfn
dir
div
dl
dt
em
figcaption
figure
font
h1
h2
h3

h4
h5
h6
hr
i
img
input
ins
kbd
li
map
o

ol
p
pre
q
s
samp
small
span
strike
strong
sub
sup

table
tbody
td
textarea
tfoot
th
thead
tr
tt
u
ul
var

You can configure your Vibe site to regard additional HTML elements as safe by doing the following:

Using a text editor, add the following parameter with the elements you are adding, to the ssf-ext.properties file.

html.safe.elements=Element1,Element2,Element3
After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.

40.10.2 HTML Element Attributes

The following HTML Element Attributes are considered safe by default

abbr
acronym
align
alt
axis
bgcolor
border
cellpadding
cellspacing
char
charoff
class
color
colspan

compact
coords
dir
face
frame
haling
headers
height
href (on area elements)
hspace
id
lang
longdesc
name
nowrap
rel

rowspan
rules
scope
size
sortable
sorted
style
summary
target
title
type
usemap
valign
vspace
width

You can configure your Vibe site to regard additional HTML attributes as safe by doing the following:

Using a text editor, add the following parameter with the attributes you are adding, to the ssf-ext.properties file.

html.safe.attributes=Attribute1,Attribute2,Attribute3
After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.

40.10.3 Conditional HTML Element Attributes

Vibe limits the following HTML elements as indicated.

href

Allowed on <a/> tags
Allowed URL protocols are http, https and mailto

src

Allowed on <img/> tags
Allowed URL protocols are http, https, mailto and data
For embedded images, allowed mime-types are:
- data:image/jpeg;
- data:image/png;
- data:image/gif;

40.10.4 CSS Style Properties

The following is a list of CSS style properties in style attributes are considered safe.

-moz-border-radius
-moz-border-radius-bottomleft
-moz-border-radius-bottomright
-moz-border-radius-topleft
-moz-border-radius-topright
-moz-box-shadow
-moz-outline
-moz-outline-color
-moz-outline-style
-moz-outline-width
-o-text-overflow
-webkit-border-bottom-left-radius
-webkit-border-bottom-right-radius
-webkit-border-radius
-webkit-border-radius-bottom-left
-webkit-border-radius-bottom-right
-webkit-border-radius-top-left
-webkit-border-radius-top-right
-webkit-border-top-left-radius
-webkit-border-top-right-radius
-webkit-box-shadow
azimuth
background
background-attachment
background-color
background-image
background-position
background-repeat
border
border-bottom
border-bottom-color
border-bottom-left-radius
border-bottom-right-radius
border-bottom-style
border-bottom-width
border-collapse
border-color
border-left
border-left-color
border-left-style
border-left-width
border-radius
border-right
border-right-color
border-right-style
border-right-width

border-spacing
border-style
border-top
border-top-color
border-top-left-radius
border-top-right-radius
border-top-style
border-top-width
border-width
box-shadow
caption-side
color
cue
cue-after
cue-before
direction
display
elevation
empty-cells
float
font
font-family
font-size
font-stretch
font-style
font-variant
font-weight
height
image()
letter-spacing
line-height
linear-gradient()
list-style
list-style-image
list-style-position
list-style-type
margin
margin-bottom
margin-left
margin-right
margin-top
max-height
max-width
min-height
min-width

outline
outline-color
outline-style
outline-width
padding
padding-bottom
padding-left
padding-right
padding-top
pause
pause-after
pause-before
pitch
pitch-range
quotes
radial-gradient()
rect()
repeating-linear-gradient()
repeating-radial-gradient()
rgb()
rgba()
richness
speak
speak-header
speak-numeral
speak-punctuation
speech-rate
stress
table-layout
text-align"
text-decoration
text-indent
text-overflow
text-shadow
text-transform
text-wrap
unicode-bidi
vertical-align
voice-family
volume
white-space
width
word-spacing
word-wrap
z-index

You can configure your Vibe site to regard additional CSS Style Properties as safe by doing the following:

Using a text editor, add the following parameter with the properties you are adding, to the ssf-ext.properties file.

css.safe.properties=Property1,Property2,Property3
After adding or modifying the file, you must restart Apache Tomcat for your configuration changes to take effect.

IMPORTANT:Additions to the default OWASP HTML Sanitizer settings are not supported and are regarded as unsafe by OpenText Support.

If you want OpenText to consider supporting your additions in a future Vibe release, you must submit them for consideration to OpenText via Customer Care.