[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3058) HTML and CSS sanitation filters for Seam Text

HTML and CSS sanitation filters for Seam Text --------------------------------------------- Key: JBSEAM-3058 URL: http://jira.jboss.com/jira/browse/JBSEAM-3058 Project: Seam Issue Type: Task Components: Wiki, Seam Text Reporter: Christian Bauer Assigned To: Christian Bauer Priority: Blocker Fix For: 2.0.x Although we only allow certain elments and attributes, and do not allow quotes and ampersands in HTML fragments parsed through Seam Text, various XSS attack vectors are still open. 1. We can't remove IMG and A from the allowed list of HTML elements because they are already used in probably hundreds of documents. So we need to filter the SRC and HREF attribute values. 2. We need to filter the STYLE attribute on any element, because a) background:url(javascript) is executed on most browser b) Internet Explorer also executes background-color: expression(javascript). But, the STYLE attribute it is used for document layout on production sites (mostly with DIV elements) and there simply is no alternative. The following rules from the Ruby/Python rules can be a starting point: http://wiki.whatwg.org/wiki/Sanitization_rules First, implement the callbacks/stacks in seam-text.g so this filter can be hooked in as a SeamTextParser extension.