[jira] [Comment Edited] (OFBIZ-12653) Sanitizer
fail

Thu, 31 Oct 2024 05:28:04 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17894549#comment-17894549
 ] 

Wiebke Paetzold edited comment on OFBIZ-12653 at 10/31/24 12:27 PM:
--------------------------------------------------------------------

Hi [~jleroux], hi [~mbrohl],

I have looked into the problem and found a solution that both takes into 
account the new HTML sanitizer logic and prevents a hard coded list having to 
be kept for individual html characters to allow them.

With this solution we keep the original solution via a CustomSafePolicy and the 
advantage of the HTML sanitizing logic that <br>, <br /> and <br/> are allowed. 
 Without the HTML Sanitizer, this is not possible with only using the OWASP 
Sanitizer, as the xhtml-compliant spelling <br \> is always used for br.

I have created a PR where I have already implemented my idea.


was (Author: wpaetzold):
Hi [~jleroux], hi [~mbrohl],

I have looked into the problem and found a solution that both takes into 
account the new HTML sanitizer logic and prevents a hard coded list having to 
be kept for individual html characters to allow them.

With this solution we keep the original solution via a CustomSafePolicy and the 
advantage of the HTML sanitizing logic that <br>, <br /> and <br/> are allowed. 
 Without the HTML Sanitizer, this is not possible with only using the OWASP 
Sanitizer, as the xhtml-compliant spelling <br \> is always used for br.

> Sanitizer <br> fail
> -------------------
>
>                 Key: OFBIZ-12653
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12653
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Michael Brohl
>            Priority: Major
>             Fix For: 22.01.01
>
>         Attachments: CustomSafePolicy.patch, OFBIZ-12653.patch, 
> UtilCodec.patch
>
>
> I copied a text with multiple lines from a text editor into the Trumbowyg 
> Html field.The editor creates the Html structure using unclosed <br> elements.
> Unfortunately the sanitizer logic just takes <br />. A security warning is 
> thrown and the content will not be stored.
> Issue also a request on Trumbowyg request list:
> [https://github.com/Alex-D/Trumbowyg/issues/1283]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to