[ https://issues.apache.org/jira/browse/OFBIZ-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17849198#comment-17849198 ]
ASF subversion and git services commented on OFBIZ-12691: --------------------------------------------------------- Commit 98febce8c3594d0f8bb5e1fc7a6c09dadffd113d in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=98febce8c3 ] Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691) Like we allowed ' and \ this allows @ to be used in email addresses. There is no risk with that. If someone try to add something risky beside like <img src=x onerror=alert(document.cookie);> it will be rejected anyway > Extend HTML Sanitizer - style attribute > --------------------------------------- > > Key: OFBIZ-12691 > URL: https://issues.apache.org/jira/browse/OFBIZ-12691 > Project: OFBiz > Issue Type: Bug > Components: content > Affects Versions: Upcoming Branch > Reporter: Ingo Wolfmayr > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01 > > Attachments: SanitizerStyle.patch > > > Right now it is not possible to assign inline style to html content. > Trumbowyg Editor uses such tags for align paragraphs. > style="text-align:right" > It is necessary to remove space within the attribute and remove the trailing > semicolon in order to apply with OWASP filter rules. > Create or open content with "Long text". Goto dataresource and edit HTML. Put > in some text and use the align icons (right, center ...) to format the text. > Save. You will get a security info. -- This message was sent by Atlassian Jira (v8.20.10#820010)