OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16841370#comment-16841370 ]

Dennis Balkir commented on OFBIZ-10187:
---------------------------------------

Hi Jacques,

you are right, these are missing in my version.

I checked it and it seems, that the ebay version on github was changed on 25th march this year, so it might be possible, that the missing components just weren't in this file as I used it as a template for my changes.

I didn't add them myself, because I thought, that they are not important enough to put them inside of an OFBiz policy opposing to the ones I added, which are quite important for current development with HTML 5.

> OWASP sanitizer breaks proper rendering of HTML code
> ----------------------------------------------------
>
>                 Key: OFBIZ-10187
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10187
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch 18.12
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Critical
>              Labels: backport-needed
>             Fix For: 17.12.01, 16.11.06, 18.12.01
>
>         Attachments: OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch, OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch, OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>             <div class="item">
>                  <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" />
>                  <div class="container">
>                      <div class="slider-overlay">
>                          <h2>Lorem ipsum dolor sit amet</h2>
>                          <h3>At vero eos et accusam et justo</h3>
>                          <p>
>                              Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
>                              takimata sanctus est Lorem ipsum dolor sit amet.
>                          </p>
>                          <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a>
>                      </div>
>                  </div>
>              </div>{code}
> will be rendered to
> {code:java}
>             <div>
>                  <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" />
>                  <div>
>                      <div>
>                          <h2>Lorem ipsum dolor sit amet</h2>
>                          <h3>At vero eos et accusam et justo</h3>
>                          <p>
>                              Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
>                              takimata sanctus est Lorem ipsum dolor sit amet.
>                          </p>
>                          <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a>
>                      </div>
>                  </div>
>              </div>{code}
> I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Free forum by Nabble Edit this page