フィードバックを送信

Iframe Sanitizer

Liferay DXP 2025.Q4+

Liferay DXP includes an iframe sanitizer that controls how iframes are handled across each instance. Iframes can introduce security risks if they load external content from untrusted domains. With this sanitizer, administrators can define which iframes are allowed and under what conditions.

The configuration applies at the instance level, giving administrators fine-grained control per instance and domain.

Customize the iframe sanitizer per instance and domain and define which iframes are allowed and under what conditions.

Configuring the Iframe Sanitizer

By default, the iframe sanitizer removes <iframe> tags from most user-submitted content to prevent unsafe embeds but allows them in trusted types like web content (JournalArticle) and fragments (FragmentEntry).

You can adjust this behavior using the whitelist and blacklist settings. The whitelist defines where iframes are allowed, and the blacklist defines where they are always removed. Configure these lists according to your trust model. For example, you can allow embeds in editorial content and block them in user-generated areas such as message boards or wikis.

When iframes are allowed, you can control their behavior with the Sandbox Attribute Values field. This field specifies HTML sandbox flags like allow-scripts, allow-forms, or allow-same-origin. Leaving it blank fully sandboxes the iframe, blocking scripts, forms, and navigation for maximum security. See Mozilla’s Iframe Sandbox reference for details on these attributes.

To configure the iframe sanitizer,

  1. Open the Global Menu (Global Menu icon), go to the Control Panel tab, and click Instance Settings.

  2. Click Security Tools under Security and select the Iframe Sanitizer menu on the left.

  3. Adjust the configuration options as needed. Changes affect the current instance and domain only.

  4. Use the plus (+) button to add further fields if you need them.

  5. Click Save to apply your settings.

Note

Default values appear until the configuration is saved for the first time.

Configuration Options

OptionDescription
EnabledActivates the sanitizer for the current instance.
Remove IFrame TagsRemoves all <iframe> tags from content when enabled.
Sandbox Attribute ValuesDefines allowed sandbox attributes applied to iframes that pass sanitization (e.g., allow-scripts, allow-same-origin, allow-presentation).
BlacklistLists asset classes or domains that must always have iframes removed.
WhitelistLists asset classes or domains where iframes are permitted.
Capability:
Platform
Sites
Resource Type:
Official Documentation
Feature:
DXP Configuration
Deployment Approach:
Liferay PaaS
Liferay SaaS
Liferay Self-Hosted