myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Udo Schnurpfeil (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Created] (TOBAGO-1400) Sanitize potentially malicious content in tc:textarea and tc:out
Date Wed, 28 May 2014 15:10:01 GMT
Udo Schnurpfeil created TOBAGO-1400:
---------------------------------------

             Summary: Sanitize potentially malicious content in tc:textarea and tc:out
                 Key: TOBAGO-1400
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1400
             Project: MyFaces Tobago
          Issue Type: New Feature
          Components: Themes
    Affects Versions: 2.0.0-beta-4
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil


When having 
<tc:out escape="false"/>
or 
<tc:textarea>
  <tc:dataAttribute name="html-editor">
</tc:textarea>
the content normally is HTML. This code should be sanitized to protect against XSS.
Sanitizing can be configured in the tobago-config.xml, and should be enabled by default.

See also: 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message