Usage of the webclient.richtext.sanitize property

Body

Hello All,

in Maximo 7.6.0.3 a System Property called webclient.richtext.sanitize was added to address a cross-site scripting vulnerability. The property uses a filter that allows the rich text sanitizer to implement a security policy based on the sanitizePolicy.xml file that is stored in the properties folder. This filter helps make sure that users don't supply malicious code in the HTML they send for their profile, comments, etc., that get persisted on the server. When the property is enabled (set to 1, which is the default), the cross-site scripting vulnerability is prevented, but when this property is turned on users may also experience other issues including the ones below:

HTML Tags in Communication Templates Being Removed

Images not displayed in long description fields

Parentheses in URL translating to %28 and %29

Long Description looses line breaks (formatting)

So for many clients who had the webclient.richtext.sanitize property set to 1 and were experiencing one of the issues above, the simple solution was to set the property to 0 (turn it off) and the issues went away. If you weren't concerned about the possibility of being vulnerable to cross-site scripting then this solution was fine.

However users wanted to keep the sanitize property on to prevent possible cross-site scripting attacks, and also wanted their images and html to display properly. In response to this the Maximo development team implemented a recent change (August 2016) to allow you to set the property to 1 but still prevent some of these other issues. The resolution was a change to the sanitizePolicy.xml file used to determine what values were allowed. After making these changes the images displayed again when the webclient.richtext.sanitize was turned on. This change was made for version 7.606 and recent IFIXs were made for 7.509, 7.5.0.10, 7.603, 7.604, and 7.605. The sanitizePolicy.xml file contains a restricted list of HTML tags that are accepted, and it is possible to modify the contents of this file to either allow more content or further restrict what content will be accepted.  However unless you fully understand the possible ramifications of changing the policy file I would advise you to use the updated version in the latest hotfix versions.