sys_sanitizeItemFields

The sys_sanitizeItemFields Input Transform can be configured on a Content Type to strip all or some HTML markup from a list of fields on the Content Type when content is created or updated.  This is useful to security harden Content Editors to prevent malicious users from inserting <script> or other HTML tag in fields that should just allow plain text. 

Extension Parameters

ParameterData TypeDescription
fieldsStringA comma separated list of field names from the content type that should be sanitized for HTML input when they are saved. 
whitelistString

Specifies the whitelist to use when sanitizing input.

  • none:(default) All tags are removed only text nodes are preserved
  • simpleText: Allow b, em, i, strong, u.
  • basic:  a, b, blockquote, br, cite, code, dd, dl, dt, em, i, li, ol, p, pre, q, small, span, strike, strong, sub, sup, u, ul, and appropriate attributes.  Links (a elements) can point to http, https, ftp, mailto, and have an enforced rel=nofollow attribute.
  • basicWithImages: basic+ img tags, with appropriate attributes, with src pointing to http or https.
  • relaxed: a, b, blockquote, br, caption, cite, code, col, colgroup, dd, div, dl, dt, em, h1, h2, h3, h4, h5, h6, i, img, li, ol, p, pre, q, small, span, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, u, ul. Links do not have an enforced rel=nofollow attribute.

Configuring this input transform on all non rich text text fields on a Content Type is recommended to harden the content type editor against XSS type of attacks.