Return-Path: 
 <dev-return-63613-apmail-myfaces-dev-archive=myfaces.apache.org@myfaces.apache.org>
X-Original-To: apmail-myfaces-dev-archive@www.apache.org
Delivered-To: apmail-myfaces-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 21DA5105E0
	for <apmail-myfaces-dev-archive@www.apache.org>;
 Wed, 28 May 2014 15:10:02 +0000 (UTC)
Received: (qmail 31515 invoked by uid 500); 28 May 2014 15:10:01 -0000
Delivered-To: apmail-myfaces-dev-archive@myfaces.apache.org
Received: (qmail 31439 invoked by uid 500); 28 May 2014 15:10:01 -0000
Mailing-List: contact dev-help@myfaces.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@myfaces.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@myfaces.apache.org>
List-Post: <mailto:dev@myfaces.apache.org>
List-Id: <dev.myfaces.apache.org>
Reply-To: "MyFaces Development" <dev@myfaces.apache.org>
Delivered-To: mailing list dev@myfaces.apache.org
Received: (qmail 31298 invoked by uid 99); 28 May 2014 15:10:01 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 May 2014 15:10:01 +0000
Date: Wed, 28 May 2014 15:10:01 +0000 (UTC)
From: "Udo Schnurpfeil (JIRA)" <dev@myfaces.apache.org>
To: dev@myfaces.apache.org
Message-ID: <JIRA.12717061.1401289716578.31566.1401289801797@arcas>
In-Reply-To: <JIRA.12717061.1401289716578@arcas>
References: <JIRA.12717061.1401289716578@arcas>
Subject: [jira] [Created] (TOBAGO-1400) Sanitize potentially malicious
 content in tc:textarea and tc:out
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Udo Schnurpfeil created TOBAGO-1400:
---------------------------------------

             Summary: Sanitize potentially malicious content in tc:textarea and tc:out
                 Key: TOBAGO-1400
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1400
             Project: MyFaces Tobago
          Issue Type: New Feature
          Components: Themes
    Affects Versions: 2.0.0-beta-4
            Reporter: Udo Schnurpfeil
            Assignee: Udo Schnurpfeil


When having 
<tc:out escape="false"/>
or 
<tc:textarea>
  <tc:dataAttribute name="html-editor">
</tc:textarea>
the content normally is HTML. This code should be sanitized to protect against XSS.
Sanitizing can be configured in the tobago-config.xml, and should be enabled by default.

See also: 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



--
This message was sent by Atlassian JIRA
(v6.2#6252)