[jira] [Comment Edited] (OFBIZ-12691) Extend HTML Sanitizer - style attribute

Thu, 23 May 2024 23:32:03 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605243#comment-17605243
 ] 

Jacques Le Roux edited comment on OFBIZ-12691 at 5/24/24 6:31 AM:
------------------------------------------------------------------

Commit c005971e4be56ef7928a6f7d0b7f438e4aa64765 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c005971e4b ]

Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)

This is a no functional changes. It makes things clearer.

I initially wanted to rather do that and forgot. The idea is to no change the
sanitization done by HtmlSanitizer.Policy(). We just need to be sure that the
comparison with unescapeEcmaScriptAndHtml4 works.

Maybe later we will figure out that some more HTML entities will need to be
added to 
{noformat}
"'" and """
{noformat}
...



was (Author: jira-bot):
Commit c005971e4be56ef7928a6f7d0b7f438e4aa64765 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c005971e4b ]

Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)

This is a no functional changes. It makes things clearer.

I initially wanted to rather do that and forgot. The idea is to no change the
sanitization done by HtmlSanitizer.Policy(). We just need to be sure that the
comparison with unescapeEcmaScriptAndHtml4 works.

Maybe later we will figure out that some more HTML entities will need to be
added to "'" and """...


> Extend HTML Sanitizer - style attribute
> ---------------------------------------
>
>                 Key: OFBIZ-12691
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12691
>             Project: OFBiz
>          Issue Type: Bug
>          Components: content
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 22.01.01
>
>         Attachments: SanitizerStyle.patch
>
>
> Right now it is not possible to assign inline style to html content. 
> Trumbowyg Editor uses such tags for align paragraphs.
> style="text-align:right"
> It is necessary to remove space within the attribute and remove the trailing 
> semicolon in order to apply with OWASP filter rules.
> Create or open content with "Long text". Goto dataresource and edit HTML. Put 
> in some text and use the align icons (right, center ...) to format the text. 
> Save. You will get a security info.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to