[jira] [Commented] (OFBIZ-12691) Extend HTML Sanitizer - style attribute

Tue, 13 Sep 2022 02:16:06 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17603479#comment-17603479
 ] 

ASF subversion and git services commented on OFBIZ-12691:
---------------------------------------------------------

Commit 56c3fa8807fb73b31068c781baeac7a3fa9f1184 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=56c3fa8807 ]

Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)

While backporting previous trunk commit (to a0d829f770) a test error showed in
22.01 (not in trunk, the same was just in log).

Then if today you try to put a quote (single or double) at
https://demo-trunk.ofbiz.apache.org/content/control/WebSiteCms?webSiteId=CmsSite
you won't be able to, because of:
<<The Following Errors Occurred:
In field [textData] by our input policy, your input has not been accepted for
security reason. Please check and modify accordingly, thanks.>>

This is due to the use of HtmlSanitizer.Policy() on value in
checkStringForHtmlSafe

The solution is to put back quotes (single or double) before comparing.

While at it, I also modified checkStringForHtmlSafe to return safe HTML entities
for ' and "

This also adds comments about why we have <<new Locale("test")>> in several
places: labels are not available in testClasses Gradle task.


> Extend HTML Sanitizer - style attribute
> ---------------------------------------
>
>                 Key: OFBIZ-12691
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12691
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 22.01.01
>
>         Attachments: SanitizerStyle.patch
>
>
> Right now it is not possible to assign inline style to html content. 
> Trumbowyg Editor uses such tags for align paragraphs.
> style="text-align:right"
> It is necessary to remove space within the attribute and remove the trailing 
> semicolon in order to apply with OWASP filter rules.
> Create or open content with "Long text". Goto dataresource and edit HTML. Put 
> in some text and use the align icons (right, center ...) to format the text. 
> Save. You will get a security info.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to