Examples - Examples - Below are some examples of how to configure the new HTML sanitizer which comes with DTE 2.4.2. - Alfresco - Alfresco Document Transformation Engine - Alfresco/Alfresco-Document-Transformation-Engine/2.4/Alfresco-Document-Transformation-Engine/Configure/Configure-HTML-sanitizer/Examples - 2.4 - 2.4

Alfresco Document Transformation Engine
Platform
Alfresco
Product
Alfresco Document Transformation Engine
Release
2.4
License
ft:lastPublication
2025-10-21T22:15:25.591000
ft:locale
en-US

Below are some examples of how to configure the new HTML sanitizer which comes with DTE 2.4.2.

Configuration for BLACKLIST mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=BLACKLIST
# Only works with BLACKLIST mode. Sample: sanitizer.disallowed.elements=a,script,iframe,style
sanitizer.disallowed.elements=a,script,iframe,style
# Only works with BLACKLIST mode. Sample: sanitizer.disallowed.attributes=a.onclick,a.onmouseover,img.onerror,button.onclick (element.attribute)
sanitizer.disallowed.attributes=img.onerror
  • This mode explicitly disables the following HTML elements: a, script, iframe, and style.
  • It also explicitly disables the onError attribute in img elements.
Note: Most of these elements are already sanitized by choosing BLACKLIST mode, which also prevents potential SSRF attacks.

Configuration for WHITELIST mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=WHITELIST
# Only works with WHITELIST mode. Sample: sanitizer.allowed.elements=p,div,span,ul,ol,li,h1,h2,h3,a
sanitizer.allowed.elements=p,div,span,ul,ol,li,h1,h2,h3,a
# Only works with WHITELIST mode. Sample: sanitizer.allowed.attributes=a.href,a.target,img.src,img.alt,div.class (element.attribute)
sanitizer.allowed.attributes=img.src
  • This mode explicitly disables the following HTML elements: p, div, span, ul, ol, li, h1, h2, h3, and a.
  • It also explicitly disables the src attribute in img elements.
Note: You cannot enable SSRF critical elements with the whitelist.

Configuration for NONE mode

# Configuration for HTML sanitizer
# Sample configuration for HTML sanitizer
# Modes are WHITELIST, BLACKLIST, NONE (Use at own risk, not recommended)
sanitizer.mode=NONE
CAUTION: This mode is not recommended. Use this at your own risk.
  • This mode re-enables all HTML features such as embedded script tag execution or preview of iframes. However, this comes with the cost of potential SSRF attacks.
  • If you choose to select this mode, the behavior is exactly the same as older DTE versions prior to 2.4.2.