Skip to content
Permalink
Browse files Browse the repository at this point in the history
ZEN-31099: sanitize html before inserting it
According to owasp there are some vulnerabilities if we insert raw html
without sanitizing it.
Create a blacklist of tags that are forbidden to use and whitelist
of attributes that can be used and then filter the html code.
  • Loading branch information
rderkach committed Dec 12, 2018
1 parent a87f87d commit f462285
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions ZenPacks/zenoss/Dashboard/browser/resources/js/defaultportlets.js
Expand Up @@ -306,7 +306,16 @@
value: this.content,
allowBlank: false,
height: 100,
width: 200
width: 200,
listeners: {
afterrender: function(me) {
Ext.tip.QuickTipManager.register({
target: me.getId(),
title : 'Warning',
text : 'Your HTML will be processed according to security rules'
});
}
}
}];
return fields;
},
Expand Down Expand Up @@ -341,7 +350,7 @@
},
convertToValidHTMLString: function (HTMLString) {
var tempDiv = document.createElement('div');
tempDiv.innerHTML = HTMLString;
tempDiv.innerHTML = Zenoss.util.sanitizeHtml(HTMLString);

return tempDiv.innerHTML;
}
Expand Down

0 comments on commit f462285

Please sign in to comment.