Author: christian.bauer(a)jboss.com Date: 2008-10-02 16:26:34 -0400 (Thu, 02 Oct 2008) New Revision: 9179 Modified: trunk/seam-text.g Log: Sanitizing HTML form tags Modified: trunk/seam-text.g =================================================================== --- trunk/seam-text.g 2008-10-02 18:12:15 UTC (rev 9178) +++ trunk/seam-text.g 2008-10-02 20:26:34 UTC (rev 9179) @@ -107,6 +107,10 @@ * * 7. Not implemented filtering of CSS url() - it's an invalid value always. * + * 8. Removed all <form>, <input> and other form tags. Attackers might use them compromise "outer" forms when entering + * markup in a textarea. + * + * */ public static class DefaultSanitizer implements SeamTextParser.Sanitizer { @@ -128,12 +132,12 @@ protected java.util.Set<String> acceptableElements = new java.util.HashSet(java.util.Arrays.asList( "a", "abbr", "acronym", "address", "area", "b", "bdo", "big", "blockquote", - "br", "button", "caption", "center", "cite", "code", "col", "colgroup", "dd", - "del", "dfn", "dir", "div", "dl", "dt", "em", "fieldset", "font", "form", - "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "input", "ins", "kbd", - "label", "legend", "li", "map", "menu", "ol", "optgroup", "option", "p", - "pre", "q", "s", "samp", "select", "small", "span", "strike", "strong", - "sub", "sup", "table", "tbody", "td", "textarea", "tfoot", "th", "thead", + "br", "caption", "center", "cite", "code", "col", "colgroup", "dd", + "del", "dfn", "dir", "div", "dl", "dt", "em", "font", + "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "ins", "kbd", + "label", "legend", "li", "map", "menu", "ol", "p", + "pre", "q", "s", "samp", "small", "span", "strike", "strong", + "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u", "ul", "var", "wbr" ));