ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis Balkir (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
Date Thu, 07 Mar 2019 17:36:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787012#comment-16787012
] 

Dennis Balkir commented on OFBIZ-10187:
---------------------------------------

Hi Jacques, Michael,

since this is something I stumbled upon while working on a project, I took my time to implement
a fix to this.
I added some funtionality and made the whole sanitizing process more customizable this way.

This is the way it works:
* There is now a properties {{sanitizer.enable}}, which I added to owasp.properties, that
can turn on or off the whole sanitizing process
* I changed the existing property {{sanitizer.permissive.policy}} from boolean use to text
use
* With {{sanitizer.permissive.policy=CUSTOM}} it is now possible to use a customized policy,
which then replaces the {{PERMISSIVE_POLICY}}
** I implemented an Interface, which is the base for the custom policy
** There is another property {{sanitizer.custom.policy.class}} in which a class path can be
specified
** The sanitize method will get the class for the path from the property and will check if
it implements the mentioned interface
** When the class implements the interface, a method {{getSanitizerPolicy()}} is used and
will return the specified policy of the custom class
** When failing, the default {{PERMISSIVE_POLICY}} is used as a fallback

I also added a class {{CustomPermissivePolicy}} which can be used as an example for this customizing
process.
There also should be no invulnerable policies in there, so it should be safe to use, even
without changing it at all.
It also features many attributed and elements that the current {{PERMISSIVE_POLICY}} is missing.

> OWASP sanitizer breaks proper rendering of HTML code
> ----------------------------------------------------
>
>                 Key: OFBIZ-10187
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10187
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL COMPONENTS
>    Affects Versions: 16.11.04
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Critical
>         Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of html code.
In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>             <div class="item">
>                  <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>"
alt="" />
>                  <div class="container">
>                      <div class="slider-overlay">
>                          <h2>Lorem ipsum dolor sit amet</h2>
>                          <h3>At vero eos et accusam et justo</h3>
>                          <p>
>                              Lorem ipsum dolor sit amet, consetetur
sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
>                              takimata sanctus est Lorem ipsum dolor
sit amet.
>                          </p>
>                          <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere
Informationen</a>
>                      </div>
>                  </div>
>              </div>{code}
> will be rendered to
> {code:java}
>             <div>
>                  <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>"
alt="" />
>                  <div>
>                      <div>
>                          <h2>Lorem ipsum dolor sit amet</h2>
>                          <h3>At vero eos et accusam et justo</h3>
>                          <p>
>                              Lorem ipsum dolor sit amet, consetetur
sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
>                              takimata sanctus est Lorem ipsum dolor
sit amet.
>                          </p>
>                          <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere
Informationen</a>
>                      </div>
>                  </div>
>              </div>{code}
> I do not see any reason to not allow class attributes in html code. There might be other
problems with these rules but this is a showstopper.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message