[jira] [Updated] (OFBIZ-12258) Adding tel protocol in CustomPermissivePolicy is not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (OFBIZ-12258) Adding tel protocol in CustomPermissivePolicy is not working

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-12258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12258:
------------------------------------
    Description:
At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.

When checking the policies in org.owasp.html.JoinedAttributePolicy


{code:java}
public @Nullable String apply(

    String elementName, String attributeName, @Nullable String rawValue) {

  String value = rawValue;

  for (AttributePolicy p : policies) {

    if (value == null) \{ break; }

    value = p.apply(elementName, attributeName, value);

  }

  return value;


{code}


It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.

 

  was:
At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.

When checking the policies in org.owasp.html.JoinedAttributePolicy

 " 

public @Nullable String apply(

    String elementName, String attributeName, @Nullable String rawValue) {

  String value = rawValue;

  for (AttributePolicy p : policies) {

    if (value == null) \{ break; }

    value = p.apply(elementName, attributeName, value);

  }

  return value;



"

It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.

 


> Adding tel protocol in CustomPermissivePolicy is not working
> ------------------------------------------------------------
>
>                 Key: OFBIZ-12258
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12258
>             Project: OFBiz
>          Issue Type: Bug
>            Reporter: Wiebke Pätzold
>            Assignee: Wiebke Pätzold
>            Priority: Major
>
> At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
> When checking the policies in org.owasp.html.JoinedAttributePolicy
> {code:java}
> public @Nullable String apply(
>     String elementName, String attributeName, @Nullable String rawValue) {
>   String value = rawValue;
>   for (AttributePolicy p : policies) {
>     if (value == null) \{ break; }
>     value = p.apply(elementName, attributeName, value);
>   }
>   return value;
> } 
> {code}
> It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)