Customizing Sanitization Settings

IBM® Cúram Social Program Management contains a sanitization library. The library sanitizes data and property values throughout the application to remove HTML markup that is potentially malicious.

About this task

The allowlist, which is installed by default, supports a set of HTML elements and attributes that are deemed safe and, therefore, do not require filtering out. To customize the allowlist, add HTML elements and attributes that are deemed safe, and remove HTML elements and attributes that are deemed potentially malicious.

Note: The Rich Text Editor uses its own unique allowlist. For more information about how to configure the sanitizing of text that is entered through the Rich Text Editor, see the Enabling configuration of a security allowlist for the Rich Text Editor related link.

The following example outlines the format that entries in the allowlist file must match: 

tag=attribute1,attribute1

For example, an allowlist that contains the following entries is declaring that the a, div, and h1 HTML elements are safe: 

a=href
div=
h1=

The allowlist also declares the href attribute is safe when it is used on an a HTML element. All other HTML elements and attributes are filtered out.

The allowlist of HTML elements and attributes is defined in the default-secure-sanitize-allowlist.properties application resource file. To customize the allowlist, choose one of the options in the following procedure.

Procedure

Choose one of the following options:

  • Customize the allowlist and persist the changes permanently to the database:
    1. Copy the default-secure-sanitize-allowlist.properties file in EJBServer/components/CEFWidgets/data/initial/blob to an equivalent location in a custom EJBServer component.
    2. Modify the copied file, as required.
    3. Update the custom DMX file for the AppResource table and add a row that points to the newly modified default-secure-sanitize-allowlist.properties file.
    4. Build the server and the database.
  • Customize the allowlist through the administration user interface:
    1. Log on as an administrative user.
    2. In the Shortcuts panel, click Intelligent Evidence Gathering > Application Resources.
    3. Search for and download the default-secure-sanitize-allowlist.properties application resource file.
    4. Modify the downloaded file, as required.
    5. Edit the default-secure-sanitize-allowlist.properties application resource file.
    6. Select the modified file as its Content.
    7. To apply the changes, click Publish.