1. Topics:
  2. Active content filtering
  3. |
  4. Active Content Filtering: Custom HTML filters
  1. Modules:
  2. Client-side secure mashup programming
  3. |
  4. Atom support

Active content filtering: Default HTML filters

The zero.acf package provides a default active content filtering (ACF) HTML filter.

HTML basic filter

This filter strips active contents such as JavaScript, Applet, or ActiveX objects from the input data (typically HTML).

Malicious attackers often try to inject scripts as an attribute value using some obfuscation techniques that browsers can interpret but usual content filters cannot. So the filter is also intended to block such attempts.

The following example shows configuration of the basic filter. 

<?xml version="1.0"?>
<config>
<filter-chain>
<filter name="base" class="com.ibm.trl.acf.impl.html.basefilter.BaseFilter" verbose-output="false" />
</filter-chain>
<filter-rule id="base">
<target scope="">
<rule c14n='true' all='true' />
<rule attribute='on' attribute-criterion='starts-with' action='remove-attribute-value' />
<rule attribute='href' value='javascript' value-criterion='starts-with' action='remove-attribute-value' />
<rule tag='script' action='remove-tag' />
<rule tag='link' attribute='rel' value='stylesheet' value-criterion='contains' action='remove-tag' />
</target>
</filter-rule>
</config>

You can configure the following information to modify the atomic rules for the basic filter:

rule
The atomic filter rule, such as removing tags with a certain name.
rule/@c14n
True if canonicalization of attribute values is required before the ACF processing.
rule/@dataschema
True if decoding of the values based on the data URL scheme (RFC2397) is required.
rule/@url
True if decoding of URL encoded values is required.
rule/@entityreference
True if entity reference in the values needs to be resolved.
rule/@whitespace
True if any whitespace character (tab, carriage return, and line feed) needs to be removed.
rule/@all
True if all canonicalization techniques described above are required.
rule/@tag
The name of the tag in the message such as 'iFrame' and 'applet'.

You need to specify at least one of the 'tag' and the 'attribute' values shown in the following information. If you do not set the 'tag' value, the filter rule is applied to all tags.

rule/@attribute
The part of the attribute name such as 'href' and 'style'. You need to specify either the 'tag' or the attribute.
rule/@attribute-criterion
How to compare the attribute above. You can select one of the following ways to do this:
equals (default)
Use this if the attribute name matches with the 'attribute' completely.
starts-with
Use this if the attribute name starts with the 'attribute.'
contains
Use this if the attribute name contains the 'attribute.'
rule/@value
The value of the attribute such as 'javascript'.
rule/@value-criterion
How to compare the attribute value. You can select one of the following ways to do this:
equals (default)
Use this if the attribute value matches with the 'value' completely.
starts-with
Use this if the attribute value starts with the 'value.'
contains
Use this if the attribute value contains the 'value.'
rule/@action
What the ACF does if it finds the tag or the attribute that matches the filter rule. You can select one of the following ways to do this:
remove-tag
Removes the tag.
remove-attribute
Remove the attribute. You can use this value only when you set the 'attribute' attribute.

Version 1.1.0.0.21442