You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Udo Schnurpfeil (JIRA)" <de...@myfaces.apache.org> on 2014/05/28 17:10:01 UTC

[jira] [Created] (TOBAGO-1400) Sanitize potentially malicious content in tc:textarea and tc:out

Udo Schnurpfeil created TOBAGO-1400:
---------------------------------------

             Summary: Sanitize potentially malicious content in tc:textarea and tc:out
                 Key: TOBAGO-1400
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1400
             Project: MyFaces Tobago
          Issue Type: New Feature
          Components: Themes
    Affects Versions: 2.0.0-beta-4
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil


When having 
<tc:out escape="false"/>
or 
<tc:textarea>
  <tc:dataAttribute name="html-editor">
</tc:textarea>
the content normally is HTML. This code should be sanitized to protect against XSS.
Sanitizing can be configured in the tobago-config.xml, and should be enabled by default.

See also: 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



--
This message was sent by Atlassian JIRA
(v6.2#6252)