[jira] [Commented] (OFBIZ-12691) Extend HTML Sanitizer - style attribute

Thu, 15 Sep 2022 06:02:14 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605329#comment-17605329
 ] 

ASF subversion and git services commented on OFBIZ-12691:
---------------------------------------------------------

Commit 89e8af90b2688bbaf98d4646613978bd18c897d2 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=89e8af90b2 ]

Reverted: "Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)"

This reverts commit 733d0e0a8aeed9faf7ebd26be12178ba6987dd4f.

I'm not sure why when coming from UI HtmlSanitizer.Policy() change quotes
to HTML entities, but not when coming from test. It seems to come from the
context as org.owasp.html.HtmlStreamRenderer somehow explains it:

<<Given a series of HTML tokens, writes valid, normalized HTML to the output.
The output will have well-defined tag boundaries, but there may be orphaned or
missing close and open tags. The result of two renderers can always be
concatenated to produce a larger snippet of HTML, but if the first
was called with writeOpenTag("plaintext", ...), then any tags in the second will
not be interpreted as tags in the concatenated version.>>

Anyway reverting fixes the test issue.


> Extend HTML Sanitizer - style attribute
> ---------------------------------------
>
>                 Key: OFBIZ-12691
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12691
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 22.01.01
>
>         Attachments: SanitizerStyle.patch
>
>
> Right now it is not possible to assign inline style to html content. 
> Trumbowyg Editor uses such tags for align paragraphs.
> style="text-align:right"
> It is necessary to remove space within the attribute and remove the trailing 
> semicolon in order to apply with OWASP filter rules.
> Create or open content with "Long text". Goto dataresource and edit HTML. Put 
> in some text and use the align icons (right, center ...) to format the text. 
> Save. You will get a security info.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to