[seam-commits] Seam SVN: r9179 - trunk.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Thu Oct 2 16:26:34 EDT 2008
Author: christian.bauer at jboss.com
Date: 2008-10-02 16:26:34 -0400 (Thu, 02 Oct 2008)
New Revision: 9179
Modified:
trunk/seam-text.g
Log:
Sanitizing HTML form tags
Modified: trunk/seam-text.g
===================================================================
--- trunk/seam-text.g 2008-10-02 18:12:15 UTC (rev 9178)
+++ trunk/seam-text.g 2008-10-02 20:26:34 UTC (rev 9179)
@@ -107,6 +107,10 @@
*
* 7. Not implemented filtering of CSS url() - it's an invalid value always.
*
+ * 8. Removed all <form>, <input> and other form tags. Attackers might use them compromise "outer" forms when entering
+ * markup in a textarea.
+ *
+ *
*/
public static class DefaultSanitizer implements SeamTextParser.Sanitizer {
@@ -128,12 +132,12 @@
protected java.util.Set<String> acceptableElements = new java.util.HashSet(java.util.Arrays.asList(
"a", "abbr", "acronym", "address", "area", "b", "bdo", "big", "blockquote",
- "br", "button", "caption", "center", "cite", "code", "col", "colgroup", "dd",
- "del", "dfn", "dir", "div", "dl", "dt", "em", "fieldset", "font", "form",
- "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "input", "ins", "kbd",
- "label", "legend", "li", "map", "menu", "ol", "optgroup", "option", "p",
- "pre", "q", "s", "samp", "select", "small", "span", "strike", "strong",
- "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead",
+ "br", "caption", "center", "cite", "code", "col", "colgroup", "dd",
+ "del", "dfn", "dir", "div", "dl", "dt", "em", "font",
+ "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "ins", "kbd",
+ "label", "legend", "li", "map", "menu", "ol", "p",
+ "pre", "q", "s", "samp", "small", "span", "strike", "strong",
+ "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead",
"tr", "tt", "u", "ul", "var", "wbr"
));
More information about the seam-commits
mailing list