Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
16.11.04, Release Branch 18.12, Release Branch 17.12, Trunk
Description
The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content.
Example:
<div class="item"> <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> <div class="container"> <div class="slider-overlay"> <h2>Lorem ipsum dolor sit amet</h2> <h3>At vero eos et accusam et justo</h3> <p> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. </p> <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> </div> </div> </div>
will be rendered to
<div> <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> <div> <div> <h2>Lorem ipsum dolor sit amet</h2> <h3>At vero eos et accusam et justo</h3> <p> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. </p> <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> </div> </div> </div>
I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper.
Attachments
Attachments
Issue Links
- is related to
-
OFBIZ-5254 Services allow arbitrary HTML for parameters with allow-html set to "safe"
- Closed
-
OFBIZ-11265 Getting policy error while editing html text data using cms
- Closed