Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-12258

Adding tel protocol in CustomPermissivePolicy is not working

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Trunk, 18.12.01
    • 18.12.01
    • None
    • None

    Description

      At the moment it is not possible to allow the tel protocol via the CustomPermissivePolicy. The problem is that already in Sanitizers.LINKS the href attribute is allowed for HTTP, HTTPS and MAILTO.

      When checking the policies in org.owasp.html.JoinedAttributePolicy

        public @Nullable String apply(
            String elementName, String attributeName, @Nullable String value) {
          for (AttributePolicy p : policies) {
            if (value == null) { break; }
            value = p.apply(elementName, attributeName, value);
          }
          return value;
        }
      

      It is obvious that each policy must be satisfied to allow an attribute with corresponding values. In the case of the tell protocol, there are now several policies, the Cusomized policy which allows the protocol (I added it there) and the Standard policy which does not. For this reason it is currently not possible to allow the tel protocol via the CustomPermissivePolicy.

       

      Attachments

        Issue Links

          Activity

            I have created a PR in which the default Sanitizer rules are only loaded if no CustomPermissivePolicy exists.

            wpaetzold Wiebke Paetzold added a comment - I have created a PR in which the default Sanitizer rules are only loaded if no CustomPermissivePolicy exists.

            Hi Wiebke,

            I did not follow all the tel protocol thing, but the PR sounds good to me, +1 for commit

            jleroux Jacques Le Roux added a comment - Hi Wiebke, I did not follow all the tel protocol thing, but the PR sounds good to me, +1 for commit
            mbrohl Michael Brohl added a comment -

            Thanks Wiebke,

            this is merged in trunk / GitHub now. The change was not synchronized with ASF Gitbox so I leave this open for backport to 18.12 later.

            mbrohl Michael Brohl added a comment - Thanks Wiebke, this is merged in trunk / GitHub now. The change was not synchronized with ASF Gitbox so I leave this open for backport to 18.12 later.

            Commit 1f0797d5f32c8c040963a0b96196aaebaf9152ae in ofbiz-framework's branch refs/heads/release18.12 from Wiebke Pätzold
            [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1f0797d ]

            Fixed: Adding tel protocol in CustomPermissivePolicy is not working
            (OFBIZ-12258)

            With these changes, the default sanitizers rules are only loaded if
            there is no CustomPermissivePolicy

            jira-bot ASF subversion and git services added a comment - Commit 1f0797d5f32c8c040963a0b96196aaebaf9152ae in ofbiz-framework's branch refs/heads/release18.12 from Wiebke Pätzold [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1f0797d ] Fixed: Adding tel protocol in CustomPermissivePolicy is not working ( OFBIZ-12258 ) With these changes, the default sanitizers rules are only loaded if there is no CustomPermissivePolicy
            mbrohl Michael Brohl added a comment -

            This is now backported to 18.12 as well.

            mbrohl Michael Brohl added a comment - This is now backported to 18.12 as well.

            People

              mbrohl Michael Brohl
              wpaetzold Wiebke Paetzold
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: