[
https://issues.apache.org/jira/browse/TOBAGO-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14011474#comment-14011474
]
Hudson commented on TOBAGO-1400:
--------------------------------
SUCCESS: Integrated in tobago-trunk #1182 (See
[https://builds.apache.org/job/tobago-trunk/1182/])
TOBAGO-1400: Sanitize potentially malicious content in tc:textarea and tc:out
(lofwyr: http://svn.apache.org/viewvc/?view=rev&rev=1598041)
* /myfaces/tobago/trunk/pom.xml
* /myfaces/tobago/trunk/tobago-core/pom.xml
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/OutTagDeclaration.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/TextareaTagDeclaration.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/declaration/HasSanitize.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/renderkit/InputRendererBase.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/IgnoringSanitizer.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/Sanitizer.java
*
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/util/ComponentUtils.java
*
/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
*
/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
*
/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/OutRenderer.java
*
/myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/TextareaRenderer.java
> Sanitize potentially malicious content in tc:textarea and tc:out
> ----------------------------------------------------------------
>
> Key: TOBAGO-1400
> URL: https://issues.apache.org/jira/browse/TOBAGO-1400
> Project: MyFaces Tobago
> Issue Type: New Feature
> Components: Themes
> Reporter: Udo Schnurpfeil
> Assignee: Udo Schnurpfeil
> Fix For: 2.0.0-beta-4, 2.0.0
>
>
> When having
> {code}<tc:out escape="false"/>{code}
> or
> {code}<tc:textarea>
> <tc:dataAttribute name="html-editor">
> </tc:textarea>{code}
> the content normally is HTML. This code should be sanitized to protect
> against XSS.
> To avoid sanitizing these content the two tags above gets a new attribute
> "sanitize" (default value is "auto"), set the value to "never". But in most
> cases this should not be needed.
> Sanitizing can be configured in the {{tobago-config.xml}}, and is enabled by
> default.
> In the configuration you can define a class which is doing the job. It must
> implement {{org.apache.myfaces.tobago.sanitizer.Sanitizer}}.
> See also:
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
> http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
--
This message was sent by Atlassian JIRA
(v6.2#6252)
