[jira] [Comment Edited] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
Locked
[jira] [Comment Edited] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16841172#comment-16841172 ] Dennis Balkir edited comment on OFBIZ-10187 at 5/16/19 9:54 AM: ---------------------------------------------------------------- Hi Jacques, sorry for my late response, but I thought that you solved this for you after you wrote this comment. {quote}Mmm, finally it's not as deprecated as I thought. Because [I looked at a fork|https://github.com/andresriancho/owaspantisamy] when I look at what I think it's the original I see it's maintained: [https://github.com/nahsra/antisamy] [https://github.com/nahsra/antisamy/issues/10] Still we are actually using [https://github.com/OWASP/java-html-sanitizer] which is clearly well maintianed, and turning to antisamy does not seem to be better for us. {quote} I actually got this CustomPolicy Class from the github project that you linked in one of your first comments: {quote}I don't remember all about prepackaged policies from the top of my head and when looking for references from [https://github.com/OWASP/java-html-sanitizer] I got this {quote} This is the example class featured in the project: [https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java] I just added some important things that were missing and were not violateble with cross scripting, including some HTML 5 elements, since they were not at all featured in this example. I hope this helps, if there are any more questions, feel free to ask. was (Author: dennis balkir): Hi Jacques, sorry for my late response, but I thought that you solved this for you after you wrote this comment. {quote}Mmm, finally it's not as deprecated as I thought. Because [I looked at a fork|https://github.com/andresriancho/owaspantisamy] when I look at what I think it's the original I see it's maintained: [https://github.com/nahsra/antisamy] [https://github.com/nahsra/antisamy/issues/10] Still we are actually using [https://github.com/OWASP/java-html-sanitizer] which is clearly well maintianed, and turning to antisamy does not seem to be better for us. {quote} I actuall got this CustomPolicy Class from the github project that you linked in one of your first comments: {quote}I don't remember all about prepackaged policies from the top of my head and when looking for references from [https://github.com/OWASP/java-html-sanitizer] I got this {quote} This is the example class featured in the project: [https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java] I just added some important things that were missing and were not violateble with cross scripting, including some HTML 5 elements, since they were not at all featured in this example. I hope this helps, if there are any more questions, feel free to ask. > OWASP sanitizer breaks proper rendering of HTML code > ---------------------------------------------------- > > Key: OFBIZ-10187 > URL: https://issues.apache.org/jira/browse/OFBIZ-10187 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch 18.12 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Critical > Labels: backport-needed > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch, OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch, OFBIZ-10187_Sanitizer_New.patch > > > The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content. > Example: > {code:java} > <div class="item"> > <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> > <div class="container"> > <div class="slider-overlay"> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > will be rendered to > {code:java} > <div> > <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> > <div> > <div> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper. -- This message was sent by Atlassian JIRA (v7.6.3#76005) |
«
Return to OFBiz - Notifications
|
1 view|%1 views
| Free forum by Nabble | Edit this page |