Restriction Enhancement for HTML Format in Content via REST

[bryanboza]

Problem Statement

Currently, dotCMS allows HTML format to be set in content added via REST without proper restrictions. This poses a security risk and may lead to unintended consequences such as cross-site scripting (XSS) vulnerabilities. There is a need to enhance the system to restrict or validate HTML input more effectively.

Steps to Reproduce

• Use the REST API to add or update content.
• Include HTML content, scripts, or potentially malicious code in the input fields.
• Observe that the HTML content is accepted without proper validation, posing a security risk.

Acceptance Criteria

• HTML Validation: Enhance the dotCMS system to validate HTML input more effectively when content is added via REST.
• Restrictions on Unsafe Tags: Restrict or filter out unsafe HTML tags, scripts, and potentially malicious code to prevent security vulnerabilities.
• User-Friendly Error Handling: Provide clear and user-friendly error messages when the input violates HTML format restrictions.

dotCMS Version

Tested on master // Docker // FF

Proposed Objective

Quality Assurance

Proposed Priority

Priority 1 - Show Stopper

[bryanboza]

Also we need to handle other cases when you try to execute an script

[mbiuki]

It looks like the script is not running and sanitization works good on that front but for other tags we probably should address it.

[mbiuki]

@bryanboza Did you try validation regex? The description and title are text fields. You need to set the regex in the text field while creating the content type. There is regex for each such as text, title, description, search and so on.

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[prestonso]

@bryanboza @mbiuki Any updates here?