call clean-html.xpl for whole instance

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

call clean-html.xpl for whole instance

mike123


              Orbeon does html clean up only for rich text editor . User can enter javascript in input box or in text area. I am trying to call clean-html.xpl at the xforms-submit-done. But it's not getting executed either I am getting any error.

Code:

 <xf:action ev:event="xforms-submit-done"> 
            <xf:insert ref="instance('fr-form-instance')" origin="xxf:call-xpl('oxf:/ops/xforms/clean-html.xpl','dirty-html',instance('fr-form-instance'),'clean-html')"/>
</xf:action>


Any solution for this?
Reply | Threaded
Open this post in threaded view
|

Re: call clean-html.xpl for whole instance

Alessandro  Vernet
Administrator
Hi Mike,

Doing "cleanup" for other fields shouldn't be needed, because the values of those fields are not rendered as HTML. That is, it is perfectly safe to allow a user to enter HTML+JavaScript in a text field when that value is then rendered by that text field: it will be just be shown as-is. Or do you maybe have some other use case in mind?

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet
Reply | Threaded
Open this post in threaded view
|

Re: call clean-html.xpl for whole instance

mike123
Hi Alex,

          It's bit project specific. In our project we have confirmation page where we show only some specific information that user has entered by processing the form data xml and rendering only that specific data on that page. I am rendering that data as html , hence I am facing that issue

For ex: I may be getting all the card information in orbeon form but I will display only card number on confirmation page. If the user entered some javascript code like <script>alert("hi")</script>on card number field , it gets executed on the confirmation page where I am trying to call.  It works perfectly fine in read only mode form view as its add pre html tag . But we dont want those kind of data to be saved at all .
          This issue was raised by our security team while doing pentest.

     From a bit of googling, found that orbeon uses html-cleanup to strip off such characters, but I am not able to call that from my form definition xml

P.S . We haved embedded orbeon in to our web app
 
Reply | Threaded
Open this post in threaded view
|

Re: call clean-html.xpl for whole instance

Alessandro  Vernet
Administrator
Hi Mike,

I understand the use case. Unfortunately, you can't call clean-html.xpl for all fields, but we understand how this could be a valuable feature. For now, I've added and RFE:

https://github.com/orbeon/orbeon-forms/issues/2957

Most likely however, we won't get a chance to do this in the near future, unless a customer decides to sponsor work on this feature (http://www.orbeon.com/services).

Alex
--
Follow Orbeon on Twitter: @orbeon
Follow me on Twitter: @avernet