You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Michael Brohl (Jira)" <ji...@apache.org> on 2021/06/21 06:56:00 UTC
[jira] [Assigned] (OFBIZ-12258) Adding tel protocol in
CustomPermissivePolicy is not working
[ https://issues.apache.org/jira/browse/OFBIZ-12258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl reassigned OFBIZ-12258:
-------------------------------------
Fix Version/s: Upcoming Branch
Assignee: Michael Brohl (was: Wiebke Pätzold)
Labels: backport-needed (was: )
Thanks Wiebke,
this is merged in trunk / GitHub now. The change was not synchronized with ASF Gitbox so I leave this open for backport to 18.12 later.
> Adding tel protocol in CustomPermissivePolicy is not working
> ------------------------------------------------------------
>
> Key: OFBIZ-12258
> URL: https://issues.apache.org/jira/browse/OFBIZ-12258
> Project: OFBiz
> Issue Type: Bug
> Reporter: Wiebke Pätzold
> Assignee: Michael Brohl
> Priority: Major
> Labels: backport-needed
> Fix For: Upcoming Branch
>
>
> At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
> When checking the policies in org.owasp.html.JoinedAttributePolicy
> {code:java}
> public @Nullable String apply(
> String elementName, String attributeName, @Nullable String value) {
> for (AttributePolicy p : policies) {
> if (value == null) { break; }
> value = p.apply(elementName, attributeName, value);
> }
> return value;
> }
> {code}
> It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)