-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 16.11.04, Release Branch 18.12, Release Branch 17.12, Trunk
-
Component/s: ALL COMPONENTS
-
Labels:
The current implementation of the sanitizer breaks the proper rendering of html code. In our case, class attributes are stripped from the html content.
Example:
<div class="item"> <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> <div class="container"> <div class="slider-overlay"> <h2>Lorem ipsum dolor sit amet</h2> <h3>At vero eos et accusam et justo</h3> <p> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. </p> <a class="btn btn-grey" href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> </div> </div> </div>
will be rendered to
<div> <img src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg</@ofbizContentUrl>" alt="" /> <div> <div> <h2>Lorem ipsum dolor sit amet</h2> <h3>At vero eos et accusam et justo</h3> <p> Lorem ipsum dolor sit amet, consetetur sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. </p> <a href="<@ofbizUrl>cms/~webpage_id=100</@ofbizUrl>">weitere Informationen</a> </div> </div> </div>
I do not see any reason to not allow class attributes in html code. There might be other problems with these rules but this is a showstopper.
- is related to
-
OFBIZ-5254 Services allow arbitrary HTML for parameters with allow-html set to "safe"
-
- Closed
-
-
OFBIZ-11265 Getting policy error while editing html text data using cms
-
- Closed
-