[Sakai Jira] Assigned: (SAKIII-4773) SaneHTML sanitizer sanitizes field attributes unnecessarily
Chris Roby (JIRA)
sakai-ui-dev-tracking at collab.sakaiproject.org
Tue Feb 14 11:59:06 PST 2012
[ https://jira.sakaiproject.org/browse/SAKIII-4773?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Roby reassigned SAKIII-4773:
----------------------------------
Assignee: Christian Vuerings
> SaneHTML sanitizer sanitizes field attributes unnecessarily
> -----------------------------------------------------------
>
> Key: SAKIII-4773
> URL: https://jira.sakaiproject.org/browse/SAKIII-4773
> Project: Sakai OAE UI Dev
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.2.0
> Reporter: Scot Hacker
> Assignee: Christian Vuerings
> Fix For: 1.3.0
>
>
> The saneHTML sanitizer in lib/sakai/sakai.api.util.js strips new attributes (such as aria-describedby="foo" ) from form fields.
> Yes, the function provides a whitelist to add/allow new attributes, but we're wondering why it does this at all. Attributes that we developers add to the codebase are trusted by definition - very different from sanitizing content entered into form fields by end users. Do we really need to be sanitizing our own internal attributes?
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the sakai-ui-dev-tracking
mailing list