framework/base/config/utilcodec.properties from ilscipio/scipio-erp

framework/base/config/utilcodec.properties
Summary

Maintainability

Test Coverage

Issues
# SCIPIO: Default and customizable sanitizer policies
#
# These factories implement org.ofbiz.base.util.codec.EncoderFactory and build 
# UtilCodec.SimpleEncoder instances, with specific implementations of the sanitize() method.
# If present, the special *-default policy becomes the default for that language ("html-default"->"html").
#
# These are now used by all the *ContentWrapper classes (ProductContentWrapper, etc.)
# as well as by the Freemarker utilities.ftl #escapeVal function (opts.allow).
#
# DEV NOTE: SimpleEncoder currently (2018-07-12) provides both encode and sanitize methods, 
# but this area focuses on sanitization (because encoding/escaping rarely needs to change, and upstream mixing the two).
#
# See also: owasp.properties
#

############## Generic levels

# Default general policy (in stock Scipio, this defers to "strict" or "perm" depending on sanitizer.permissive.policy)
sanitizer.policy.html-default.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$PermOrStrictSanitizerPolicy

# Strict general policy
sanitizer.policy.html-strict.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$StrictOwaspPolicy

# Permissive general policy
sanitizer.policy.html-perm.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$PermissiveOwaspPolicy

# Policy that uses complete HTML escaping for sanitization (the old ofbiz behavior; mostly for debugging now)
sanitizer.policy.html-escape.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$EscapeSanitizerPolicy
sanitizer.policy.html-none.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$AliasSanitizerPolicy
sanitizer.policy.html-none.alias=html-escape

# Performs no sanitization at all
sanitizer.policy.html-any.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$NoSanitizerPolicy

# TODO: NOT IMPLEMENTED: currently does the same as "any"
# This is supposed to deny only badly-formatted HTML, and is not meant for security.
sanitizer.policy.html-anyvalid.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$NoSanitizerPolicy

############## Content-specific levels

# Internal content policy - content made by employees - defaults to permissive
sanitizer.policy.html-internal.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$AliasSanitizerPolicy
sanitizer.policy.html-internal.alias=html-perm

# External content policy - content made by customers - defaults to strict
sanitizer.policy.html-external.factoryClass=org.ofbiz.base.util.codec.HtmlSanitizerPolicies$AliasSanitizerPolicy
sanitizer.policy.html-external.alias=html-strict