You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Dennis Balkir (JIRA)" <ji...@apache.org> on 2019/03/07 17:36:00 UTC
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper
rendering of HTML code
[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787012#comment-16787012 ]
Dennis Balkir commented on OFBIZ-10187:
---------------------------------------
Hi Jacques, Michael,
since this is something I stumbled upon while working on a project, I took my time to implement a fix to this.
I added some funtionality and made the whole sanitizing process more customizable this way.
This is the way it works:
* There is now a properties {{sanitizer.enable}}, which I added to owasp.properties, that can turn on or off the whole sanitizing process
* I changed the existing property {{sanitizer.permissive.policy}} from boolean use to text use
* With {{sanitizer.permissive.policy=CUSTOM}} it is now possible to use a customized policy, which then replaces the {{PERMISSIVE_POLICY}}
** I implemented an Interface, which is the base for the custom policy
** There is another property {{sanitizer.custom.policy.class}} in which a class path can be specified
** The sanitize method will get the class for the path from the property and will check if it implements the mentioned interface
** When the class implements the interface, a method {{getSanitizerPolicy()}} is used and will return the specified policy of the custom class
** When failing, the default {{PERMISSIVE_POLICY}} is used as a fallback
I also added a class {{CustomPermissivePolicy}} which can be used as an example for this customizing process.
There also should be no invulnerable policies in there, so it should be safe to use, even without changing it at all.
It also features many attributed and elements that the current {{PERMISSIVE_POLICY}} is missing.
> OWASP sanitizer breaks proper rendering of HTML code
> ----------------------------------------------------
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: 16.11.04
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
> <div class="item">
> <img src="<@o...@ofbizContentUrl>" alt="" />
> <div class="container">
> <div class="slider-overlay">
> <h2>Lorem ipsum dolor sit amet</h2>
> <h3>At vero eos et accusam et justo</h3>
> <p>
> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
> </p>
> <a class="btn btn-grey" href="<@o...@ofbizUrl>">weitere Informationen</a>
> </div>
> </div>
> </div>{code}
> will be rendered to
> {code:java}
> <div>
> <img src="<@o...@ofbizContentUrl>" alt="" />
> <div>
> <div>
> <h2>Lorem ipsum dolor sit amet</h2>
> <h3>At vero eos et accusam et justo</h3>
> <p>
> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
> </p>
> <a href="<@o...@ofbizUrl>">weitere Informationen</a>
> </div>
> </div>
> </div>{code}
> I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)