My Oracle Support Banner

Convergence And MSHTTPD Content Sanitizing And Security Features Overview (Doc ID 2380283.1)

Last updated on NOVEMBER 19, 2018

Applies to:

Oracle Communications Convergence - Version 3.0.1 and later
Information in this document applies to any platform.

Goal

Content Sanitizing And Security Features Overview.

NOTE:  A "HTML Filtering" section has been added to the Oracle Communications Convergence System Administrator's guide.  [Bug 27547705 : Convergence and mshttpd content sanitizing and security features]

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
 Content Sanitizing And Security Features Objective
 Content Sanitizing And Security Features Description
 HTML Sanitizer Diagram
 Technical Details
 Sample input and output content
 Convergence Configuration
 Example for blacklist (similar for whitelist)
 MSHTTPD Configuration
 Recommended Product Matrix and Configuration Table
 NOTES
 Links
 Default CSS properties supported by OWASP library [i.e. the known whitelist as it stands today]
  FAQ
 Why would I want to use any of these features?
 Why do I want mshttpd to do HTML processing?
 What does the HTML sanitizer do?
 Why do I want Convergence to do it instead?
 What does it mean to have both active?
 What does it mean to have neither active?
 What is ICAP?
 What is OWASP?
 How are Whitelists used?
 How are Blacklists used?
 What are all the configuration items for mshttpd and convergence which control the various combinations of content sanitization and what are their effects, what are recommended configurations and their effects, what are bad/wrong/disastrous configurations and their effects
 What is an analogous configuration to existing deployments using Convergence 2.x and mshttpd 7.x (ie for those who decide to not perform any http/imap/wmap level content manipulation)
 Is the 'http.enableblacklistfilter = 1' behaviour analogous for mshttpd in 7.x and earlier 8.x versions?  Are they different in various 8.x versions versus 7.x?
 It would seem that mshttpd always did "things" for sanitization, but what are those things and where are they stored? Can they be viewed?
 What are the items listed in "Default CSS properties supported by OWASP library"? Are they the current whitelist, or just elements the library is aware of, some of which could be on the whitelist, and could be optionally blacklisted?
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.