Managing AntiSamy
An AntiSamy sanitizer is enabled by default in Liferay. This sanitizer prevents malicious JavaScript code from being injected into the system when users use HTML and CSS in various Liferay applications. See AntiSamy to learn more.
To prevent malicious activity, the IT department of Clarity Vision Solutions decides to forbid JavaScript code from being placed in web content. See this in action below.
Configuring AntiSamy
By default, all JavaScript code is sanitized and prevented from being executed except for fragments and web content. This is controlled by what is blacklisted and whitelisted in the configuration. Follow the steps below to see this in action.
-
Publish a basic web content to a site page.
- Open the Product Menu ().
- Click Web Content under Content & Data.
- Click Add () and select Basic Web Content.
- Input foo as the title.
- Click Source () to switch to code view.
- Paste the following JavaScript snippet.
<script> function foo() { alert("Hello World!"); } </script> <p>Click the button to see the effect.</p> <p><button onclick="foo()">Click me</button></p>
- Click Publish.
- In the left navigation, click Pages under Site Builder.
- Click Add () to add a new page. Select Page.
- In the next screen, select the blank template. Input
Webcontent
as the page name. Click Add. - In the left navigation, select Widgets under the fragments and widgets tab.
- Find the web content display widget under content management. Drag it onto the page.
- Click Options () on the widget and click Configuration.
- In the pop-up window, select the foo web content you just created. Click Save.
- Finally, click Publish.
-
See the script in action.
- Navigate to the site page you created (i.e.
http://localhost:8080/webcontent
). - Click the Click me button. See the JavaScript alert box pop up.
- Navigate to the site page you created (i.e.
-
Apply AntiSamy to web content.
- Navigate to Global Menu () → Control Panel → System Settings.
- Click Security Tools under the security section.
- In the left navigation, click AntiSamy Sanitizer.
- Remove the
com.liferay.journal.model.JournalArticle
whitelist entry by clicking the minus button. - Click Save.
-
See the sanitizer take effect.
- Open the Product Menu ().
- Click Web Content under Content & Data.
- Click the foo web content you created previously.
- Click Source () to switch to code view.
- Make a small change to the content. For example, change the
Hello World!
toHello Foo!
. - Click Publish.
- Click back into the web content. See that the Javascript code has been removed and the content has been sanitized.
Congratulations on completing this security module.