Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10187

OWASP sanitizer breaks proper rendering of HTML code

    XMLWordPrintableJSON

    Details

      Description

      The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content.

      Example:

                  <div class="item">
                       <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" />
                       <div class="container">
                           <div class="slider-overlay">
                               <h2>Lorem ipsum dolor sit amet</h2>
                               <h3>At vero eos et accusam et justo</h3>
                               <p>
                                   Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
                                   takimata sanctus est Lorem ipsum dolor sit amet.
                               </p>
                               <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a>
                           </div>
                       </div>
                   </div>

      will be rendered to

                  <div>
                       <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" />
                       <div>
                           <div>
                               <h2>Lorem ipsum dolor sit amet</h2>
                               <h3>At vero eos et accusam et justo</h3>
                               <p>
                                   Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
                                   takimata sanctus est Lorem ipsum dolor sit amet.
                               </p>
                               <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a>
                           </div>
                       </div>
                   </div>

      I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper.

        Attachments

        1. OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch
          1 kB
          Mathieu Lirzin
        2. OFBIZ-10187_Sanitizer_16.11.patch
          16 kB
          Michael Brohl
        3. OFBIZ-10187_Sanitizer_New.patch
          17 kB
          Dennis Balkir
        4. OFBIZ-10187_Sanitizer.patch
          17 kB
          Dennis Balkir

          Issue Links

            Activity

              People

              • Assignee:
                mbrohl Michael Brohl
                Reporter:
                mbrohl Michael Brohl
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: