...
HTML Validation and Security
...
The Simple Content
...
The Simple Content Management portlet uses OWASP's AntiSamy tool to validate and sanitize HTML input. By default, the portlet ships with a configuration that prevents users from entering JavaScript or other potentially dangerous code.
...
Using JavaScript
While the validation rules for most HTML tags and attributes may be set through manipulating the AntiSamy configuration file, no amount of twiddling will successfully enable AntiSamy to allow the inclusion of JavaScript code. You may optionally allow content publishers to include script elements by disabling the AntiSamy scan.
Important Considerations
Disabling AntiSamy means that any user with publishing rights in your portal will be able to include potentially dangerous code in the portal. Please do not disable HTML validation unless you've carefully reviewed your portal's administrative groups and permissions, have locked down access to the portal's configuration mode, and trust both the judgement and HTML authoring skills of your administrative users.
Before disabling AntiSamy, Jen recommends taking a deep breath while reflecting over the life and times of Little Bobby Tables.
Disabling AntiSamy
AntiSamy may be disabled via a simple portlet preference called "cleanContent". To disable content scanning, simply set "cleanContent" to "false". A sample alternate "Advanced CMS" configuration with content scanning disabled is included at the bottom of the distributed portlet.xml file.