[
https://issues.apache.org/jira/browse/TOBAGO-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Udo Schnurpfeil resolved TOBAGO-1400.
-------------------------------------
Resolution: Fixed
> Sanitize potentially malicious content in tc:textarea and tc:out
> ----------------------------------------------------------------
>
> Key: TOBAGO-1400
> URL: https://issues.apache.org/jira/browse/TOBAGO-1400
> Project: MyFaces Tobago
> Issue Type: New Feature
> Components: Themes
> Reporter: Udo Schnurpfeil
> Assignee: Udo Schnurpfeil
> Fix For: 2.0.0-beta-4, 2.0.0
>
>
> When having
> {code}<tc:out escape="false"/>{code}
> or
> {code}<tc:textarea>
> <tc:dataAttribute name="html-editor">
> </tc:textarea>{code}
> the content normally is HTML. This code should be sanitized to protect
> against XSS.
> To avoid sanitizing these content the two tags above gets a new attribute
> "sanitize" (default value is "auto"), set the value to "never". But in most
> cases this should not be needed.
> Sanitizing can be configured in the {{tobago-config.xml}}, and is enabled by
> default.
> In the configuration you can define a class which is doing the job. It must
> implement {{org.apache.myfaces.tobago.sanitizer.Sanitizer}}.
> See also:
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
> http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
--
This message was sent by Atlassian JIRA
(v6.2#6252)
