Changing your Active Content Filter in IBM Connections 6.0

Previous versions of IBM Connections had a blacklist for active content which defined which attributes, elements and styles you couldn’t use in your posts. You usually had to go into HTML mode or use the advanced properties of elements to set these, so most users never noticed this. The more adventurous users however might use these tags or styles to achieve something special. A blacklist is tricky here as you never know what new tags become available in browsers which could be misused.

Therefore in Connections 6.0 this blacklist was changed to a whitelist. All the attributes, elements and styles that a user can add (or which are added by the editors automatically when users create content), have to be explicitly whitelisted. You can check all these whitelisted items in the file “ojhs-whitelist-default.xml” (LotusConnectionsConfig/extern directory). This new behaviour could however block your adventurous users who used items which aren’t used by default by Connections. An example of such items are the style-items z-index, position, top and left. These are the items that some users at my main customer used. Another item could be the file:// element, though you could wonder if you want to allow that one.

To add items to the whitelist, you can make a copy of the ojhs-whitelist-default.xml file, give it a descriptive name and add the items you need to add as described pretty well in the IBM documentation here. I had to add my extra items (in green) at the bottom of the file:

<allowStyling>
     <param value="display"/>
     <param value="float"/>
     <param value="position" />
     <param value="top" />
     <param value="left" />
     <param value="z-index" />
</allowStyling>

Next step is to create a copy of the acp-configkey__default.xml file. Give it the (same) descriptive name and make it refer to your custom ojhs-whitelist file (as described in this IBM document):

<acp id="AcpDefaultWhitelist" className="com.ibm.ic.acf.impl.ojhs.OJHSActiveContentProcessor" xmlns="http://www.ibm.com/connections/acf/acp/1.0"
  xmlns:tns="http://www.ibm.com/connections/acf/acp/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.ibm.com/connections/acf/acp/1.0 chainedACPDefinition.xsd">
<!-- Copyright IBM Corp. 2018  All Rights Reserved.                    -->
  <params>
    <param value="defaultKey=position-z-index" />
  </params>
</acp>

The final configuration step is to refer to this file in your LotusConnectionsConfig.xml. You can choose for each applicable application whether you want to switch to your new whitelist or not. I only changed the whitelist for Blogs, Communities, Wikis and the Rich text widget.

<sloc:serviceReference acf_config_file="acp-configkey__position-z-index.xml" bootstrapHost="admin_replace" bootstrapPort="admin_replace" clusterName="BlogsCluster" enabled="true" person_card_service_name_js_eval="generalrs.label_personcard_blogslink" person_card_service_url_pattern="/roller-ui/allblogs?userid={userid}" serviceName="blogs" ssl_enabled="true">
    <sloc:href>
      <sloc:hrefPathPrefix>/blogs</sloc:hrefPathPrefix>
      <sloc:static href="https://<connectionsURL>" ssl_href="https://<connectionsURL>"/>
      <sloc:interService href="https://<connectionsURL>"/>
    </sloc:href>
  </sloc:serviceReference>

Finally you have to restart the applications that you gave the new whitelist or simply restart the whole environment to be safe.