Skip to content

Commit

Permalink
static pages: add html content sanitization config
Browse files Browse the repository at this point in the history
  • Loading branch information
@lnielsen
Sam Arbid authored and lnielsen committed Mar 20, 2024
1 parent 2d132a9 commit 82652e2
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions docs/customize/static_pages.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,45 @@ After making this change, you'll have to restart your instance and run
```bash
pipenv run invenio rdm pages create --force
```

## Static Pages Content HTML Sanitization

_Introduced in InvenioRDM v12_

InvenioRDM version 12 introduces enhanced HTML sanitization for static pages content. This update provides greater security and integrity of the content.
The changes involve extending the list of allowed HTML tags and attributes for static page content.
If you find certain tags absent in your static page, you have the option to incorporate these configurations into your instance.

### Configuration

Two new configurations have been introduced:

`PAGES_ALLOWED_EXTRA_HTML_TAGS`: This configuration extends the [list of HTML tags](https://github.com/inveniosoftware/invenio-config/blob/2a52eafe3c44bc162538d2f65817332cfadfa168/invenio_config/default.py#L16) permitted in static pages content. By default, it extends tags like `img` and `button`, if you like to add more tags you can override this in your `invenio.cfg`, or remove the extra tags by provide empty list:

```python
PAGES_ALLOWED_EXTRA_HTML_TAGS = []
```

`PAGES_ALLOWED_EXTRA_HTML_ATTRS`: Accompanying the tags, this configuration specifies the allowed attributes for each tag. For instance, for img tags, attributes like `src, alt, title, width, height, loading`, are permitted. Similarly, button tags can have attributes like `type, name, value, disabled, onclick`.

**example**

```python
# invenio.cfg

PAGES_ALLOWED_EXTRA_HTML_TAGS = ["video", "audio"]
"""Extend allowed HTML tags list for static pages content."""

PAGES_ALLOWED_EXTRA_HTML_ATTRS = {
"video": ["src", "controls", "autoplay", "loop", "muted"],
"audio": ["src", "controls", "autoplay", "loop"],
}
"""Extend allowed HTML attrs list for static pages content."""

```

After adding these configs, you'll have to restart your instance and run

```bash
pipenv run invenio rdm pages create --force
```

0 comments on commit 82652e2

Please sign in to comment.