Feedback
Did this article resolve your question/issue?

   

Article

How to extend the Data Processor aka XSS Sanitizer whitelist to further allow html elements

« Go Back

Information

 
TitleHow to extend the Data Processor aka XSS Sanitizer whitelist to further allow html elements
URL NameHow-to-extend-the-Data-Processor-aka-XSS-Sanitizer-whitelist-to-further-allow-html-elements
Article Number000163309
EnvironmentProduct: Sitefinity
Version: 10.1, 10.2, 11.x, 12.x
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
How to extend the Data Processor aka XSS Sanitizer whitelist to further allow HTML elements?
For example, how to add the iframe HTML element to the XSS Sanitizer whitelist? If the iframe is properly displayed when editing a Content Block, it is not displayed on the frontend page.
What is the difference in extending the HTML Sanitizer in Sitefinity 10.1 and Sitefinity 10.2?
Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
For Sitefinity 10.2 and above:

Refer to the following official documentation:
https://www.progress.com/documentation/sitefinity-cms/html-sanitization

For Sitefinity 10.1 version:

1. Create a class that will inherit the "XssSanitizerDataProcessor" class. For example, name it "CustomXssSanitizerDataProcessor". The "ISitefinityHtmlSanitizer " property has to be overridden and in there, further elements can be added to extend the XSS Sanitizer whitelist. Paste the code into the root of your project and then rebuild the solution. The custom class looks as the following:
using Telerik.Sitefinity.Data.DataProcessing.Processors;
using Telerik.Sitefinity.Data.DataProcessing.Processors.XssSanitizerHelpers;
using Telerik.Sitefinity.Data.DataProcessing.Processors.XssSanitizerHelpers.Contracts;

namespace SitefinityWebApp
{
    public class CustomXssSanitizerDataProcessor : XssSanitizerDataProcessor
    {
        protected override ISitefinityHtmlSanitizer Sanitizer
        {
            get
            {
                var sanitizer = base.Sanitizer as GanssHtmlSanitizerWrapper;
                if (sanitizer != null)
                {
                    sanitizer.Sanitizer.AllowedTags.Add("iframe");
                }

                return sanitizer;
            }
        }
    }
}
 Review the official HTML Sanitizer Github repository at the link from the Notes section to see the syntax and how you can further whitelist elements(HTML tags, CSS classes, properties, URI schemas etc.)  

2. Register the custom class in Sitefinity backend so that the custom class implementation can be applied. Go to Administration » Settings » Advanced » Data » Data Processors » XSS sanitizer » and change the Type field to:
"SitefinityWebApp.CustomXssSanitizerDataProcessor, SitefinityWebApp"
XSS Sanitizer Backend settings


3. Save changes

4. Restart the project
Workaround
Notes
References to Other Documentation:
Progress Sitefinity Documentation, Global Data Processing https://www.progress.com/documentation/sitefinity-cms/global-data-processing
Progress Sitefinity Documentation, HTML Sanitizer whitelist https://www.progress.com/documentation/sitefinity-cms/html-sanitization
Github Repository, HtmlSanitizer https://github.com/mganss/HtmlSanitizer
Sitefinity 10.2 and above HTML Sanitizer:
Progress Sitefinity Documentation, HTML sanitization https://www.progress.com/documentation/sitefinity-cms/html-sanitization
Last Modified Date7/31/2019 8:31 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.