[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mathieu Lirzin updated OFBIZ-10187:
---
Attachment: OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10187:
--
Labels: backport-needed (was: )
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 18.12.01
>
> Attachments: OFBIZ-10187_Sanitizer.patch,
> OFBIZ-10187_Sanitizer_16.11.patch, OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10187:
--
Attachment: OFBIZ-10187_Sanitizer_16.11.patch
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch,
> OFBIZ-10187_Sanitizer_16.11.patch, OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10187:
--
Fix Version/s: 18.12.01
17.12.01
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Fix For: 17.12.01, 18.12.01
>
> Attachments: OFBIZ-10187_Sanitizer.patch,
> OFBIZ-10187_Sanitizer_16.11.patch, OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10187:
--
Affects Version/s: Release Branch 18.12
Release Branch 17.12
Trunk
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Balkir updated OFBIZ-10187:
--
Attachment: OFBIZ-10187_Sanitizer_New.patch
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Dennis Balkir
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Balkir updated OFBIZ-10187:
--
Attachment: OFBIZ-10187_Sanitizer.patch
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-10187:
--
Description:
The current implementation of the sanitizer breaks the proper rendering of html
code. In our case, class attributes are stripped from the html content.
Example:
{code:java}
Lorem ipsum dolor sit amet
At vero eos et accusam et justo
Lorem ipsum dolor sit amet, consetetur sadipscing
elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
takimata sanctus est Lorem ipsum dolor sit amet.
weitere Informationen
{code}
will be rendered to
{code:java}
Lorem ipsum dolor sit amet
At vero eos et accusam et justo
Lorem ipsum dolor sit amet, consetetur sadipscing
elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
takimata sanctus est Lorem ipsum dolor sit amet.
weitere Informationen
{code}
I do not see any reason to not allow class attributes in html code. There might
be other problems with these rules but this is a showstopper.
was:
The current implementation of the PERMISSIVE_POLICY breaks the proper rendering
of html code. In our case, class attributes are stripped from the html content.
Example:
{code:java}
Lorem ipsum dolor sit amet
At vero eos et accusam et justo
Lorem ipsum dolor sit amet, consetetur sadipscing
elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
takimata sanctus est Lorem ipsum dolor sit amet.
weitere Informationen
{code}
will be rendered to
{code:java}
Lorem ipsum dolor sit amet
At vero eos et accusam et justo
Lorem ipsum dolor sit amet, consetetur sadipscing
elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
takimata sanctus est Lorem ipsum dolor sit amet.
weitere Informationen
{code}
I do not see any reason to not allow class attributes in html code. There might
be other problems with these rules but this is a showstopper.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Priority: Critical
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum
