[
https://issues.apache.org/jira/browse/OFBIZ-12258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-12258:
----------------------------------
Affects Version/s: 18.12.01
> Adding tel protocol in CustomPermissivePolicy is not working
> ------------------------------------------------------------
>
> Key: OFBIZ-12258
> URL: https://issues.apache.org/jira/browse/OFBIZ-12258
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 18.12.01, Trunk
> Reporter: Wiebke Pätzold
> Assignee: Michael Brohl
> Priority: Major
> Fix For: 18.12.01, Upcoming Branch
>
>
> At the moment it is not possible to allow the tel protocol via the
> CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the
> href attribute is allowed for HTTP, HTTPS and MAILTO.
> When checking the policies in org.owasp.html.JoinedAttributePolicy
> {code:java}
> public @Nullable String apply(
> String elementName, String attributeName, @Nullable String value) {
> for (AttributePolicy p : policies) {
> if (value == null) { break; }
> value = p.apply(elementName, attributeName, value);
> }
> return value;
> }
> {code}
> It is obvious that each policy must be satisfied to allow an attribute with
> corresponding values. In the case of the tell protocol, there are now several
> policies, the Cusomized policy which allows the protocol (I added it there)
> and the Standard policy which does not. For this reason it is currently not
> possible to allow the tel protocol via the CustomPermissivePolicy.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
