[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16847545#comment-16847545 ]
Jacques Le Roux commented on OFBIZ-10187: ----------------------------------------- Hi Dennis, After our discussion with Dennis, I checked and the pattern ONSITE_URL would be useless without .allowAttributes("background").matching(ONSITE_URL) .onElements("table") .allowAttributes("background").matching(ONSITE_URL) .onElements("td", "th", "tr") So I put them in, in trunk r1859871 R18 r1859872 R17 r1859873 (too fast, when I hit enter I saw there was not related pending changes. I'll have to revert those) R16 r1859874 > OWASP sanitizer breaks proper rendering of HTML code > ---------------------------------------------------- > > Key: OFBIZ-10187 > URL: https://issues.apache.org/jira/browse/OFBIZ-10187 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS > Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch > 18.12 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Critical > Labels: backport-needed > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: > OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch, > OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch, > OFBIZ-10187_Sanitizer_New.patch > > > The current implementation of the sanitizer breaks the proper rendering of > html code. In our case, class attributes are stripped from the html content. > Example: > {code:java} > <div class="item"> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div class="container"> > <div class="slider-overlay"> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a class="btn btn-grey" > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > will be rendered to > {code:java} > <div> > <img > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" > alt="" /> > <div> > <div> > <h2>Lorem ipsum dolor sit amet</h2> > <h3>At vero eos et accusam et justo</h3> > <p> > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > </p> > <a > href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> > </div> > </div> > </div>{code} > I do not see any reason to not allow class attributes in html code. There > might be other problems with these rules but this is a showstopper. -- This message was sent by Atlassian JIRA (v7.6.3#76005)