[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787037#comment-16787037 ]
Jacques Le Roux commented on OFBIZ-10187: ----------------------------------------- Thanks Dennis, I'll have a look ASAP which should not be this weekend but the next, at the earliest. We need to extend policies usage to fix issues like OFBIZ-5254, OFBIZ-10054 and at large contiue the work began at OFBIZ-5343 and especially answer to discussion like https://markmail.org/message/gdyolxnpl5heu6ru. In other words to completely replace owasp.esapi by policies everywhere. > OWASP sanitizer breaks proper rendering of HTML code > ---------------------------------------------------- > > Key: OFBIZ-10187 > URL: https://issues.apache.org/jira/browse/OFBIZ-10187 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: 16.11.04 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Critical > Attachments: OFBIZ-10187_Sanitizer.patch > > > The current implementation of the sanitizer breaks the proper rendering of > html code. In our case, class attributes are stripped from the html content. > Example: > {code:java} > <div class="item"> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div class="container"> > <div class="slider-overlay"> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a class="btn btn-grey" > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > will be rendered to > {code:java} > <div> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div> > <div> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > I do not see any reason to not allow class attributes in html code. There > might be other problems with these rules but this is a showstopper. -- This message was sent by Atlassian JIRA (v7.6.3#76005)