[
https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605242#comment-17605242
]
ASF subversion and git services commented on OFBIZ-12691:
---------------------------------------------------------
Commit 71cf2a8b8d9a0beea5960442706320561351f1f6 in ofbiz-framework's branch
refs/heads/release22.01 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=71cf2a8b8d ]
Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
This is a no functional changes. It makes things clearer.
I initially wanted to rather do that and forgot. The idea is to no change the
sanitization done by HtmlSanitizer.Policy(). We just need to be sure that the
comparison with unescapeEcmaScriptAndHtml4 works.
Maybe later we will figure out that some more HTML entities will need to be
added to "'" and """...
> Extend HTML Sanitizer - style attribute
> ---------------------------------------
>
> Key: OFBIZ-12691
> URL: https://issues.apache.org/jira/browse/OFBIZ-12691
> Project: OFBiz
> Issue Type: Bug
> Components: content
> Affects Versions: Upcoming Branch
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 22.01.01
>
> Attachments: SanitizerStyle.patch
>
>
> Right now it is not possible to assign inline style to html content.
> Trumbowyg Editor uses such tags for align paragraphs.
> style="text-align:right"
> It is necessary to remove space within the attribute and remove the trailing
> semicolon in order to apply with OWASP filter rules.
> Create or open content with "Long text". Goto dataresource and edit HTML. Put
> in some text and use the align icons (right, center ...) to format the text.
> Save. You will get a security info.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
