[ https://issues.apache.org/jira/browse/OFBIZ-12258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl closed OFBIZ-12258. --------------------------------- Fix Version/s: 18.12.01 Resolution: Fixed This is now backported to 18.12 as well. > Adding tel protocol in CustomPermissivePolicy is not working > ------------------------------------------------------------ > > Key: OFBIZ-12258 > URL: https://issues.apache.org/jira/browse/OFBIZ-12258 > Project: OFBiz > Issue Type: Bug > Reporter: Wiebke Pätzold > Assignee: Michael Brohl > Priority: Major > Labels: backport-needed > Fix For: 18.12.01, Upcoming Branch > > > At the moment it is not possible to allow the tel protocol via the > CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the > href attribute is allowed for HTTP, HTTPS and MAILTO. > When checking the policies in org.owasp.html.JoinedAttributePolicy > {code:java} > public @Nullable String apply( > String elementName, String attributeName, @Nullable String value) { > for (AttributePolicy p : policies) { > if (value == null) { break; } > value = p.apply(elementName, attributeName, value); > } > return value; > } > {code} > It is obvious that each policy must be satisfied to allow an attribute with > corresponding values. In the case of the tell protocol, there are now several > policies, the Cusomized policy which allows the protocol (I added it there) > and the Standard policy which does not. For this reason it is currently not > possible to allow the tel protocol via the CustomPermissivePolicy. > -- This message was sent by Atlassian Jira (v8.3.4#803005)