Images policy of XSS sanitize java action from CommunityCommons is not working

1
Hi all,   We use the XSS sanitize java action from the CommunityCommons with all policies active. However, when we enter a String value of the following, the String is completely emptied by the XSS sanitize java action: <img src="data:image/jpeg;base64,/9j/4AA[...]P/Z" /> (on the[...] a full string representation of an image is written.   We use Modeler 7.23.19 en have CommunityCommons version 8.2.0. Does anyone know why this happens and how we can avoid this to happen?   Thanks for your replies!
asked
2 answers
0

Looking at the code, the XSS Sanitize Java Action uses the OWASP project.

For images, it uses the built in image sanitizer method, and the comment for this is that it only allows values in the src element to be http, https, or relative urls. This would block data urls, which is what you are seeing.

https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/Sanitizers.java#L120

To change this behaviour I think you are going to have to write your own version of the XSS Sanitize action to not use the image sanitizer provided, but to use your own rules.



 

answered
0

In addition to Robert's answer, this StackOverflow seems to suggest you can add a policy to allow data type entries in your policy. So you could extend the existing functions by adding an additional policy definition. But it would definitely require some additional Java coding.

answered