Skip to content
Arc XP

How to ensure private editorial fields are not publicly available

By default, the Content API returns editorial-facing comments when fetching articles. Use this guide to ensure that this potentially sensitive information is not publicly available.

Remove the ANS fields listed here in the concerned Content Sources, either through filtering (see Content Filtering in PageBuilder) or by selectively removing the fields in the Content Sources fetch or transform function.

content_elements.additional_properties.inline_comments
content_elements.additional_properties.comments

Data that is not returned from the Content Source will not be exposed to users.

Transforming the data and removing the concerned fields is the most straightforward way to ensure that no editorial data is exposed to the public.

In order to sanitize the content source output, add a transform function that iterates through all of the content elements and removes any sensitive fields.

If comments are also applied to deeper-level ANS, such as Link Lists, then the code needs to reflect that. Additionally, any Content Elements used in other content sources should go through the transform function, equal to the resizing of images that have to be transformed on every level.

Example code of removing top-level comments only:

{
  resolve,
  transform = (data) => {
    const updatedContentElements = data.content_elements.map((element) => {
      const tmpElement = element;
      if (tmpElement?.additional_properties?.inline_comments) delete tmpElement.additional_properties.inline_comments;
      if (tmpElement?.additional_properties?.comments) delete tmpElement.additional_properties.comments;
      return tmpElement;
    });
    return {
      ...data,
      content_elements: updatedContentElements,
    };
  }
}

As a result, all comments should be removed from Content Elements having this format:

{
  "_id": "..",
  "type": "...",
  "additional_properties": {
    "comments": [],
    "inline_comments": []
  },
  "content": "..."
},

resulting in:

{
  "_id": "..",
  "type": "...",
  "additional_properties": {},
  "content": "..."
},

How to check your site

To validate that only publicly available information is returned from your configured content sources, use the Arc XP Chrome extension to inspect the data available within your content caches. Learn how to install the Chrome extension.

Arc Xp Chrome extension

If you’re familiar with Chrome’s native developer tools, you can deep search the “comments” and “inline_comments” properties in Fusion.globalContent and Fusion.contentCache by running the code snippet below in the browser’s developer console.

function searchProp(objName, obj, key, parentTree) {
    if (!parentTree) {
        console.log('\n------------\n\nSearching `' + key + '` in ' + objName)
    }
    for(let p in obj) {
        if (p == key) console.log((parentTree || '') + '.' + p + ': ', obj[p]);
        else if (typeof(obj[p]) == 'object') searchProp(objName, obj[p], key, (parentTree || '') + '.' + p);
    }
}


searchProp('Fusion.globalContent', Fusion.globalContent, 'inline_comments')
searchProp('Fusion.globalContent', Fusion.globalContent, 'comments')
searchProp('Fusion.contentCache', Fusion.contentCache, 'inline_comments')
searchProp('Fusion.contentCache', Fusion.contentCache, 'comments')

This snippet will print out the nodes found and values so that you can inspect the contents of the found object or value in the console.