You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Hudson (JIRA)" <de...@myfaces.apache.org> on 2014/05/28 21:21:02 UTC

[jira] [Commented] (TOBAGO-1400) Sanitize potentially malicious content in tc:textarea and tc:out

    [ https://issues.apache.org/jira/browse/TOBAGO-1400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14011474#comment-14011474 ] 

Hudson commented on TOBAGO-1400:
--------------------------------

SUCCESS: Integrated in tobago-trunk #1182 (See [https://builds.apache.org/job/tobago-trunk/1182/])
TOBAGO-1400: Sanitize potentially malicious content in tc:textarea and tc:out (lofwyr: http://svn.apache.org/viewvc/?view=rev&rev=1598041)
* /myfaces/tobago/trunk/pom.xml
* /myfaces/tobago/trunk/tobago-core/pom.xml
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/OutTagDeclaration.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/TextareaTagDeclaration.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/declaration/HasSanitize.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/renderkit/InputRendererBase.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/IgnoringSanitizer.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/JsoupSanitizer.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/sanitizer/Sanitizer.java
* /myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/util/ComponentUtils.java
* /myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-2.0.xsd
* /myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
* /myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/OutRenderer.java
* /myfaces/tobago/trunk/tobago-theme/tobago-theme-standard/src/main/java/org/apache/myfaces/tobago/renderkit/html/standard/standard/tag/TextareaRenderer.java


> Sanitize potentially malicious content in tc:textarea and tc:out
> ----------------------------------------------------------------
>
>                 Key: TOBAGO-1400
>                 URL: https://issues.apache.org/jira/browse/TOBAGO-1400
>             Project: MyFaces Tobago
>          Issue Type: New Feature
>          Components: Themes
>            Reporter: Udo Schnurpfeil
>            Assignee: Udo Schnurpfeil
>             Fix For: 2.0.0-beta-4, 2.0.0
>
>
> When having 
> {code}<tc:out escape="false"/>{code}
> or 
> {code}<tc:textarea>
>   <tc:dataAttribute name="html-editor">
> </tc:textarea>{code}
> the content normally is HTML. This code should be sanitized to protect against XSS.
> To avoid sanitizing these content the two tags above gets a new attribute "sanitize" (default value is "auto"), set the value to "never". But in most cases this should not be needed.
> Sanitizing can be configured in the {{tobago-config.xml}}, and is enabled by default.
> In the configuration you can define a class which is doing the job. It must implement {{org.apache.myfaces.tobago.sanitizer.Sanitizer}}.
> See also: 
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
> http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



--
This message was sent by Atlassian JIRA
(v6.2#6252)