[jira] [Created] (TOBAGO-1400) Sanitize potentially malicious content in tc:textarea and tc:out

Udo Schnurpfeil (JIRA) Wed, 28 May 2014 08:10:50 -0700

Udo Schnurpfeil created TOBAGO-1400:
---------------------------------------


             Summary: Sanitize potentially malicious content in tc:textarea and 
tc:out
                 Key: TOBAGO-1400
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1400
             Project: MyFaces Tobago
          Issue Type: New Feature
          Components: Themes
    Affects Versions: 2.0.0-beta-4
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil


When having 
<tc:out escape="false"/>
or 
<tc:textarea>
  <tc:dataAttribute name="html-editor">
</tc:textarea>
the content normally is HTML. This code should be sanitized to protect against 
XSS.
Sanitizing can be configured in the tobago-config.xml, and should be enabled by 
default.

See also: 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (TOBAGO-1400) Sanitize potentially malicious content in tc:textarea and tc:out

Reply via email to