Documentation? » CoreDevelopersGuideIndex » CoreDevelopersGuideAssembleExtensions » CoreDevelopersGuideActiveContentFilteringDefaultFilters
Login|Register|Print
Broadcast on Broadcast off
The Documentation for Project Zero has moved. Please update your bookmarks to: http://www.projectzero.org/documentation/
Advanced Wiki Search
Table of
Contents...Hide

Project Zero Developer’s Guide?

Concepts and components
Basic concepts overview
Event processing
Writing Java handlers
Writing Groovy handlers
Firing events
Global Context
Global Context reference
Application directory layout?
Virtualized directories
Assemble
PHP
Features and configuration
Configuration
Debugging?
Dependencies?
Packaging?
Application classpath
Logging and tracing
RESTful resources?
RESTful documentation?
File serving
Response rendering
Validators and validation
HTTP error handling
Calling a remote resource
Using the Connection API
Sending an email using EmailConnection
Configuring destinations
Configuring protocols
Configuring connection handlers
Creating a connection handler
Creating a custom protocol transport
Simple logging connection handlers
Protocol reference
Client programming with Dojo
Runtime options
Deployment modifications
HTTP configuration
SSL configuration
Proxy configuration
Extending the CLI
Security considerations
Authentication
OpenID authentication
Extending security
Security tokens
CSRF prevention support
Extending token support
Leveraging TAI
User service
File based user service
LDAP user service
Extending user service
Security Utilities
Leveraging XOREncoder
Extensions
Atom support
RSS support
JSON support
XMLEncoder
REST to SOAP extension
URIUtils
Developer Web tools?
Database setup tools
Configuring data access
Common query patterns
Advanced query patterns
Update patterns
Local database transactions
Extending data access
Configuration vendor differences
PHP data access
Resource model
Configuring ZRM
Resource model declaration
Programmatic model API
HTTP REST API
A ZRM mini tutorial
Active content filtering support
Default filters
Custom filters
Runtime management
Management commands
Zero socket opener
Other extension modules
Amazon E-commerce service
Flickr service
WeatherZero forecast service
Wikipedia service
Reference
Zero command line interface
JavaDoc - Public API
JavaDoc - Public SPI
JavaDoc - All Classes

 

Active Content Filtering: Default filters

The zero.acf package provides two default ACF filters.

Basic filter

This filter strips active contents such as JavaScript, Applet, ActiveX objects from the input data (typically HTML).

Malicious attackers often try to inject scripts as an attribute value using some obfuscation techniques which browsers can interpret but usual content filters cannot. So the filter is also intended to block such attempts.

The following shows an example of the configuration of the basic filter. 

<?xml version="1.0"?>
<config>
<filter-chain>
<filter name="base" class="com.ibm.trl.acf.basefilter.BaseFilter" verbose-output="false" />
</filter-chain>
<filter-rule id="base">
<target scope="">
<rule c14n='true' all='true' />
<rule attribute='on' attribute-criterion='starts-with' action='remove-attribute-value' />
<rule attribute='href' value='javascript' value-criterion='starts-with' action='remove-attribute-value' />
<rule tag='script' action='remove-tag' />
<rule tag='link' attribute='rel' value='stylesheet' value-criterion='contains' action='remove-tag' />
</target>
</filter-rule>
</config>

You can configure the following information to modify the atomic rules for the basic filter:

rule
The atomic filter rule, such as removing tags with a certain name.

rule/@c14n
True if canonicalization of attribute values is required before the ACF processing.

rule/@dataschema
True if decoding of the values based on the data URL scheme (RFC2397) is required.

rule/@url
True if decoding of URL encoded values is required.

rule/@entityreference
True if entity reference in the values needs to be resolbed.

rule/@whitespace
True if any whitespace character (tab, carriage return, and line feed) needs to be removed.

rule/@all
True if all canonicalization techniques described above are required.

rule/@tag
The name of the tag in the message such as ‘iFrame’ and ‘applet’. You need to specify at least one of the ‘tag’ and the ‘attribute’ below. If you don’t set the ‘tag’, the filter rule is applied to all tags.

rule/@attribute
The part of the attribute name such as ‘href’ and ‘style’. You need to specify either of the ‘tag’ above or the attribute.

rule/@attribute-criterion
How to compare the attribute above. You can select one of the following:
  • equals (default) – if the attribute name matches with the ‘attribute’ completely
  • starts-with – if the attribute name starts with the ‘attribute’
  • contains – if the attribute name contains the ‘attribute’

rule/@value
The value of the attribute such as ‘javascript’.

rule/@value-criterion
How to compare the attribute value above. You can select one of the following:
  • equals (default) – if the attribute value matches with the ‘value’ completely
  • starts-with – if the attribute value starts with the ‘value’
  • contains – if the attribute value contains the ‘value’

rule/@action
What the ACF does if it finds the tag or the attribute which matches with the filter rule. You can select one of the following:
  • remove-tag – Remove the tag.
  • remove-attribute – Remove the attribute. You can use this value only when you set the ‘attribute’ attribute.

r3 - 04 Feb 2008 - 18:19:21 - teraguti
Quick Links: Forum | Bugzilla| Blog| Getting Started| Developer's Guide| FAQ
Syndicate this site RSS ATOM
Copyright 2007 © IBM Corporation | Privacy | Terms of Use | About this site