My Oracle Support Banner

Convergence and Mshttpd Content Sanitizing and Security Features Overview (Doc ID 2380283.1)

Last updated on JANUARY 24, 2022

Applies to:

Oracle Communications Convergence - Version 3.0.1 and later
Information in this document applies to any platform.


Content Sanitizing And Security Features Overview.

NOTE:  A "HTML Filtering" section has been added to the Oracle Communications Convergence System Administrator's guide.  [Bug 27547705 : Convergence and mshttpd content sanitizing and security features]


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Content Sanitizing And Security Features Objective
 Content Sanitizing And Security Features Description
 HTML Sanitizer Diagram
 Technical Details
 Sample input and output content
 Convergence Configuration
 Example for blocklist (similar for allowlist)
 MSHTTPD Configuration
 Recommended Product Matrix and Configuration Table
 Default CSS properties supported by OWASP library [i.e. the known allow list as it stands today]
 Why would I want to use any of these features?
 Why do I want mshttpd to do HTML processing?
 What does the HTML sanitizer do?
 Why do I want Convergence to do it instead?
 What does it mean to have both active?
 What does it mean to have neither active?
 What is ICAP?
 What is OWASP?
 How are Allow lists used?
 How are Blocklists used?
 What are all the configuration items for mshttpd and convergence which control the various combinations of content sanitization and what are their effects, what are recommended configurations and their effects, what are bad/wrong/disastrous configurations and their effects
 What is an analogous configuration to existing deployments using Convergence 2.x and mshttpd 7.x (ie for those who decide to not perform any http/imap/wmap level content manipulation)
 Is the 'http.enableblacklistfilter = 1' behaviour analogous for mshttpd in 7.x and earlier 8.x versions?  Are they different in various 8.x versions versus 7.x?
 It would seem that mshttpd always did "things" for sanitization, but what are those things and where are they stored? Can they be viewed?
 What are the items listed in "Default CSS properties supported by OWASP library"? Are they the current allow list, or just elements the library is aware of, some of which could be on the allow list, and could be optionally blocklisted?

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.