HTML Sanitizer

To mitigate the risk of cross-site scripting (XSS) attacks, Portal version 22.0 and later validates all user input against the whitelist provided by the Sitefinity HTML sanitizer version 4.0.217.

The HTML sanitizer ensures that HTML content is safe and does not cause security vulnerabilities to your system. The HTML sanitizer avoids cross-site scripting attacks while at the same time allowing users to submit HTML markup and content. The HTML sanitizer identifies elements as untrusted if they are not included in the whitelist.

The HTML sanitizer whitelist contains:

• HTML tags and attributes
• CSS properties
• CSS at-rules
• URI schemes
• Attributes that contain URIs

For more information, see https://github.com/mganss/HtmlSanitizer.

Portal incorporates the HTML sanitizer whitelist in a SyRegistry database table as shown below. The RegValue column will hold a comma separated list of whitelisted attributes.

Validation of User Input

The validation of user input against the HTML sanitizer list and any attributes added via the SyRegistry setting occurs in the following Portal areas:

1. On all text boxes in the Portal Configuration tool which can hold HTML script/tags

   If an input field has HTML attributes or tag which are not whitelisted, the configuration value is not saved, and the following message is displayed:

   The following input fields contains non-trusted HTML attributes/tags. Please update the fields with trusted HTML attributes/tags.
   <Field>: <attribute/tag> (comma-separated list of attributes/tags)

2. On all Custom HTML pages

   If the HTML content consists of non-whitelisted HTML attributes, the following.warning message is displayed when the users selects on the "Update" button:

   "The following tags/attributes contains non-trusted HTML:
   <attribute/tag> (comma-separated list of attributes/tags)

   Example:

   In the Portal Configuration tool under the Portal website > Menu Groups > External Links, an administrator adds custom content with HTML that contains the "class" and "mailto" attributes. Since these attributes are not whitelisted, the warning message appears when the administrator selects the "Update Menu Item and External Link" button.

   

   At this point, the administrator can either:

   • Select "Continue to Save" to keep the changes

     — OR —

   • Select Cancel revert the changes

   

3. On all transaction pages in the Portal Configuration tool (e.g., Online Application, Create Account, etc.) for every input text box which can hold HTML script/tags

   If the HTML tags used in the text box are not valid, an error message is displayed.

   Example:

   In the Portal Configuration tool under the Portal website > Page Transactions, an administrator modifies the Page Description field on the Student Online Registration page with HTML that contains the "class" and "onchange" attributes. Since these attributes are not whitelisted, the warning message appears when the administrator selects the Update button.

   

   At this point, the administrator can either:

   • Edit the HTML in the Page Description field and remove the non-trusted HTML attributes/tags

   • Select Update to proceed with saving the changes

   • Select Reset to revert the change

     — OR —

   • Select "Reset to Default Settings" to use the default page

   

Overwrite the SyRegistry Table

A database administrator can overwrite the default HTML sanitizer whitelist in the database using UPDATE statements. However, this should be done with caution to avoid exposing the Portal website to any security vulnerabilities. Also, keep in mind that changes to the SyRegistry table will require a restart of the Portal website.

Example:

The SQL transaction below overwrites the default HTML sanitizer and allows the use of "script", "class", "onchange", "resize", and "mailto" HTML tags/attributes (see Reg/Value column). After the update and restart, the Portal Configuration tool will no longer display validation messages for these tags/attributes.