Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-12258

Adding tel protocol in CustomPermissivePolicy is not working

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Trunk, 18.12.01
    • 18.12.01
    • None
    • None

    Description

      At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.

      When checking the policies in org.owasp.html.JoinedAttributePolicy

        public @Nullable String apply(
            String elementName, String attributeName, @Nullable String value) {
          for (AttributePolicy p : policies) {
            if (value == null) { break; }
            value = p.apply(elementName, attributeName, value);
          }
          return value;
        }
      

      It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.

       

      Attachments

        Issue Links

          Activity

            People

              mbrohl Michael Brohl
              wpaetzold Wiebke Paetzold
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: