[
https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849198#comment-17849198
]
ASF subversion and git services commented on OFBIZ-12691:
---------------------------------------------------------
Commit 98febce8c3594d0f8bb5e1fc7a6c09dadffd113d in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=98febce8c3 ]
Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
Like we allowed ' and \ this allows @ to be used in email addresses.
There is no risk with that. If someone try to add something risky beside like
<img src=x onerror=alert(document.cookie);> it will be rejected anyway
> Extend HTML Sanitizer - style attribute
> ---------------------------------------
>
> Key: OFBIZ-12691
> URL: https://issues.apache.org/jira/browse/OFBIZ-12691
> Project: OFBiz
> Issue Type: Bug
> Components: content
> Affects Versions: Upcoming Branch
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 22.01.01
>
> Attachments: SanitizerStyle.patch
>
>
> Right now it is not possible to assign inline style to html content.
> Trumbowyg Editor uses such tags for align paragraphs.
> style="text-align:right"
> It is necessary to remove space within the attribute and remove the trailing
> semicolon in order to apply with OWASP filter rules.
> Create or open content with "Long text". Goto dataresource and edit HTML. Put
> in some text and use the align icons (right, center ...) to format the text.
> Save. You will get a security info.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
