Sample FilterDataInput Component to Check for Illegal or Corruptive HTML Constructs
|
Date:
|
December 21, 2006
|
|
Sample Version:
|
version=2006_12_21
|
|
Product and Version:
|
Content Server 7.5, 7.5.1, 7.5.2
|
|
Sample Status:
|
This is a Stellent Sample. Stellent Samples are free and
include non-supported add-ons, utilities, tutorials or programming
examples. It may require additional configuration or security
auditing for maximum effect. It is not supported by Stellent
without a consulting engagement.
|
Prerequisites and Recommendations:
The sample FilterDataInput component provides extra functionality for filtering data for illegal or corruptive HTML constructs. This version is recommended for Stellent Content Server 7.5.1 and 7.5.2.
Background Information:
This sample component provides two pieces: a new Idoc script function called encodeHtml and a filter hook to automatically scrub all input data for dangerious HTML constructs.
IMPORTANT: The encodeHtml and filter hook have a number of configuration variables which are described in detail in the readme.txt provided with the component. Be sure to read the readme.txt file for examples, and use a text editor rather than a browser to view the examples so that you can see the examples showing escapes.
Installation Instructions:
Warning: Stellent recommends you deploy and confirm this component
in your development environment before using this in a production
environment. Stellent assumes no responsibility for sample solutions.
1) Download the file FilterDataInputBundle.zip
2) Extract the contents of zip to temporary directory. You will
have the following files:
readme.htm
FilterDataInput.zip
3) The FilterDataInput.zip is a Stellent component. Use the Component Wizard or the Admin Server Component Manager to install and enable the component.
4) Restart the Content Server.
Where to Get this Sample:
The sample referenced in this article can be downloaded from the Download Samples
section of the Stellent Support Site.
How to Check if this Sample is Installed:
To check if this sample is installed, make sure that the FilterDataInput component is enabled and that the version for the component is at least version=2006_12_21 (month, day, year).
How to Uninstall this Sample:
To uninstall this sample, uninstall or disable the component.
Changelog for this Sample:
12/21/06
-----------------
fully encodes an additional param.
11/7/2006
-----------------
Put
in support for configuration entry
HtmlDataInputExtraUnsafeTags. Also improved escaping of values in attributes of a HTML tags.
Fixes UCF p51047058 (FilterDataInput possible exploit with the IMG html tag)
6/23/2006
-----------------
Put in better support for hcsp/hcsf forms when encoding at "exceptsafe" level. In particular the values for DataScript and any parameter whose name ends with
":default" needed special handling. Fixes UCF p51043774 (Threaded Discussions and FilterDataInput: "Unable to parse date" error).
11/18/2005
-----------------
Put
in support for configuration entry
HtmlDataInputEncodeDocAndUserFieldsAsExceptSafe. Also reduced scope
of HtmlDataInputFilterLevel so that levels of encoding "exceptsafe" or higher only apply to "POST" style
requests and not "GET" requests. Also fixed issue with
HtmlDataInputFilterLevel not applying to some of the metadata in a
checkin or to parameters to certain document action commands
(CHECKOUT, etc.).
Additional Keywords:
security
More Information:
-----------------------------
Rev: November 9, 2006
Rev: December 21, 2006 - additional param
Note:
Any 'pxxxxxxxx' references contained in this document are Stellent
internal identifiers associated with this solution.
Copyright©
1996 - 2006 Stellent Inc.
7500 Flying Cloud Drive, Suite 500, Eden
Prairie, MN 55344 USA.
Tel: 952.903.2000 http://WWW.stellent.com
Support Hotline: 888.688.8324 http://Support.stellent.com
All
Rights Reserved