Wiebke Pätzold created OFBIZ-12258:
--------------------------------------
Summary: Adding tel protocol in CustomPermissivePolicy is not working
Key: OFBIZ-12258
URL:
https://issues.apache.org/jira/browse/OFBIZ-12258 Project: OFBiz
Issue Type: Bug
Reporter: Wiebke Pätzold
Assignee: Wiebke Pätzold
At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
When checking the policies in org.owasp.html.JoinedAttributePolicy
"
public @Nullable String apply(
String elementName, String attributeName, @Nullable String rawValue) {
String value = rawValue;
for (AttributePolicy p : policies) {
if (value == null) \{ break; }
value = p.apply(elementName, attributeName, value);
}
return value;
}
"
It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
