Managing AntiSamy

Managing AntiSamy

An AntiSamy sanitizer is enabled by default in Liferay. This sanitizer prevents malicious JavaScript code from being injected into the system when users use HTML and CSS in various Liferay applications. See AntiSamy to learn more.

To prevent malicious activity, the IT department of Delectable Bonsai decides to forbid JavaScript code from being placed in web content. See this in action below.

Configuring AntiSamy

By default, all JavaScript code is sanitized and prevented from being executed except for fragments and web content. This is controlled by what is blacklisted and whitelisted in the configuration. Follow the steps below to see this in action.

  1. Publish a basic web content to a site page.

    • Open the Product Menu (Product Menu).
    • Click Web Content under Content & Data.
    • Click Add (Add icon) and select Basic Web Content.
    • Input foo as the title.
    • Click Source (Code icon) to switch to code view.
    • Paste the following JavaScript snippet.
    function foo() {
    alert("Hello World!");
    <p>Click the button to see the effect.</p>
    <p><button onclick="foo()">Click me</button></p>
    • Click Publish.
    • In the left navigation, click Pages under Site Builder.
    • Click Add (Add icon) to add a new page. Select Page.
    • In the next screen, select the blank template. Input Webcontent as the page name. Click Add.
    • In the left navigation, select Widgets under the fragments and widgets tab.
    • Find the web content display widget under content management. Drag it onto the page.
    • Click Options (Options icon) on the widget and click Configuration.
    • In the pop-up window, select the foo web content you just created. Click Save.
    • Finally, click Publish.
  2. See the script in action.

    • Navigate to the site page you created (i.e. http://localhost:8080/webcontent).
    • Click the Click me button. See the JavaScript alert box pop up.

    The alert box pops up after clicking the button.

  3. Apply AntiSamy to web content.

    • Navigate to Global Menu (Global Menu) → Control PanelSystem Settings.
    • Click Security Tools under the security section.
    • In the left navigation, click AntiSamy Sanitizer.
    • Remove the com.liferay.journal.model.JournalArticle whitelist entry by clicking the minus button.
    • Click Save.
  4. See the sanitizer take effect.

    • Open the Product Menu (Product Menu).
    • Click Web Content under Content & Data.
    • Click the foo web content you created previously.
    • Click Source (Code icon) to switch to code view.
    • Make a small change to the content. For example, change the Hello World! to Hello Foo!.
    • Click Publish.
    • Click back into the web content. See that the Javascript code has been removed and the content has been sanitized.

    The web content is sanitized by AntiSamy.

Congratulations on completing this security module.

Relevant Concepts