You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/06/15 09:52:00 UTC
[jira] [Updated] (OFBIZ-12258) Adding tel protocol in
CustomPermissivePolicy is not working
[ https://issues.apache.org/jira/browse/OFBIZ-12258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-12258:
------------------------------------
Description:
At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
When checking the policies in org.owasp.html.JoinedAttributePolicy
{code:java}
public @Nullable String apply(
String elementName, String attributeName, @Nullable String rawValue) {
String value = rawValue;
for (AttributePolicy p : policies) {
if (value == null) \{ break; }
value = p.apply(elementName, attributeName, value);
}
return value;
}
{code}
It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
was:
At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
When checking the policies in org.owasp.html.JoinedAttributePolicy
"
public @Nullable String apply(
String elementName, String attributeName, @Nullable String rawValue) {
String value = rawValue;
for (AttributePolicy p : policies) {
if (value == null) \{ break; }
value = p.apply(elementName, attributeName, value);
}
return value;
}
"
It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
> Adding tel protocol in CustomPermissivePolicy is not working
> ------------------------------------------------------------
>
> Key: OFBIZ-12258
> URL: https://issues.apache.org/jira/browse/OFBIZ-12258
> Project: OFBiz
> Issue Type: Bug
> Reporter: Wiebke Pätzold
> Assignee: Wiebke Pätzold
> Priority: Major
>
> At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.
> When checking the policies in org.owasp.html.JoinedAttributePolicy
> {code:java}
> public @Nullable String apply(
> String elementName, String attributeName, @Nullable String rawValue) {
> String value = rawValue;
> for (AttributePolicy p : policies) {
> if (value == null) \{ break; }
> value = p.apply(elementName, attributeName, value);
> }
> return value;
> }
> {code}
> It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)