Examples - Alfresco Document Transformation Engine - 2.4 - 2.4 - Ready - Alfresco - external - Alfresco/Alfresco-Document-Transformation-Engine/2.4/Alfresco-Document-Transformation-Engine/Configure/Configure-HTML-sanitizer/Examples - 2025-04-04 - Below are some examples of how to configure the new HTML sanitizer which comes with DTE 2.4.2.

Alfresco Document Transformation Engine
Platform
Alfresco
Product
Alfresco Document Transformation Engine
Release
2.4
License

Below are some examples of how to configure the new HTML sanitizer which comes with DTE 2.4.2.

Configuration for BLACKLIST mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=BLACKLIST
# Only works with BLACKLIST mode. Sample: sanitizer.disallowed.elements=a,script,iframe,style
sanitizer.disallowed.elements=a,script,iframe,style
# Only works with BLACKLIST mode. Sample: sanitizer.disallowed.attributes=a.onclick,a.onmouseover,img.onerror,button.onclick (element.attribute)
sanitizer.disallowed.attributes=img.onerror
  • This mode explicitly disables the following HTML elements: a, script, iframe, and style.
  • It also explicitly disables the onError attribute in img elements.
Note: Most of these elements are already sanitized by choosing BLACKLIST mode, which also prevents potential SSRF attacks.

Configuration for WHITELIST mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=WHITELIST
# Only works with WHITELIST mode. Sample: sanitizer.allowed.elements=p,div,span,ul,ol,li,h1,h2,h3,a
sanitizer.allowed.elements=p,div,span,ul,ol,li,h1,h2,h3,a
# Only works with WHITELIST mode. Sample: sanitizer.allowed.attributes=a.href,a.target,img.src,img.alt,div.class (element.attribute)
sanitizer.allowed.attributes=img.src
  • This mode explicitly disables the following HTML elements: p, div, span, ul, ol, li, h1, h2, h3, and a.
  • It also explicitly disables the src attribute in img elements.
Note: You cannot enable SSRF critical elements with the whitelist.

Configuration for NONE mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=NONE
Important: This mode is not recommended. Use this at your own risk.
  • This mode re-enables all HTML features such as embedded script tag execution or preview of iframes. However, this comes with the cost of potential SSRF attacks.
  • If you choose to select this mode, the behavior is exactly the same as older DTE versions prior to 2.4.2.