Convergence and Mshttpd Content Sanitizing and Security Features Overview
(Doc ID 2380283.1)
Last updated on APRIL 19, 2021
Applies to:Oracle Communications Convergence - Version 3.0.1 and later
Information in this document applies to any platform.
Content Sanitizing And Security Features Overview.
NOTE: A "HTML Filtering" section has been added to the Oracle Communications Convergence System Administrator's guide. [Bug 27547705 : Convergence and mshttpd content sanitizing and security features]
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|Content Sanitizing And Security Features Objective|
|Content Sanitizing And Security Features Description|
|HTML Sanitizer Diagram|
|Sample input and output content|
|Example for blocklist (similar for allowlist)|
|Recommended Product Matrix and Configuration Table|
|Default CSS properties supported by OWASP library [i.e. the known allow list as it stands today]|
|Why would I want to use any of these features?|
|Why do I want mshttpd to do HTML processing?|
|What does the HTML sanitizer do?|
|Why do I want Convergence to do it instead?|
|What does it mean to have both active?|
|What does it mean to have neither active?|
|What is ICAP?|
|What is OWASP?|
|How are Allow lists used?|
|How are Blocklists used?|
|What is an analogous configuration to existing deployments using Convergence 2.x and mshttpd 7.x (ie for those who decide to not perform any http/imap/wmap level content manipulation)|
|Is the 'http.enableblacklistfilter = 1' behaviour analogous for mshttpd in 7.x and earlier 8.x versions? Are they different in various 8.x versions versus 7.x?|
|It would seem that mshttpd always did "things" for sanitization, but what are those things and where are they stored? Can they be viewed?|
|What are the items listed in "Default CSS properties supported by OWASP library"? Are they the current allow list, or just elements the library is aware of, some of which could be on the allow list, and could be optionally blocklisted?|