[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787637#comment-16787637 ]
Jacques Le Roux commented on OFBIZ-10187: ----------------------------------------- Hi Michael, Agreed, it should be another Jira based on the work Dennis did here (still to be rewieved). Because, as I wrote many times, owasp.esapi is flawed and that was the reason the sanitizer and policies were created. I'll see that later... > OWASP sanitizer breaks proper rendering of HTML code > ---------------------------------------------------- > > Key: OFBIZ-10187 > URL: https://issues.apache.org/jira/browse/OFBIZ-10187 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: 16.11.04 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Critical > Attachments: OFBIZ-10187_Sanitizer.patch > > > The current implementation of the sanitizer breaks the proper rendering of > html code. In our case, class attributes are stripped from the html content. > Example: > {code:java} > <div class="item"> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div class="container"> > <div class="slider-overlay"> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a class="btn btn-grey" > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > will be rendered to > {code:java} > <div> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div> > <div> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > I do not see any reason to not allow class attributes in html code. There > might be other problems with these rules but this is a showstopper. -- This message was sent by Atlassian JIRA (v7.6.3#76005)