You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Udo Schnurpfeil (JIRA)" <de...@myfaces.apache.org> on 2014/05/28 17:10:01 UTC
[jira] [Created] (TOBAGO-1400) Sanitize potentially malicious
content in tc:textarea and tc:out
Udo Schnurpfeil created TOBAGO-1400:
---------------------------------------
Summary: Sanitize potentially malicious content in tc:textarea and tc:out
Key: TOBAGO-1400
URL: https://issues.apache.org/jira/browse/TOBAGO-1400
Project: MyFaces Tobago
Issue Type: New Feature
Components: Themes
Affects Versions: 2.0.0-beta-4
Reporter: Udo Schnurpfeil
Assignee: Udo Schnurpfeil
When having
<tc:out escape="false"/>
or
<tc:textarea>
<tc:dataAttribute name="html-editor">
</tc:textarea>
the content normally is HTML. This code should be sanitized to protect against XSS.
Sanitizing can be configured in the tobago-config.xml, and should be enabled by default.
See also:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
--
This message was sent by Atlassian JIRA
(v6.2#6252)