Trouble with xwiki syntax

[Khemais Menzli]

Hi,

I'm working with an application that rely on xwiki 

I faced a problem with HtmlSanitizer when I try to sanitize content that contains <!-- -->  

For example, HtmlSanitizer.sanitize("<!-- a comment --> <p> I'm here ") will return <p> I'm here 

Is there any way to keep comment tag after the sanitization?

Thank you 

khemais menzli / PreSales Director 
kme...@exoplatform.com / (216) 28 71 47 24

eXo Platform 
Tunisia 
http://www.exoplatform.com

  

This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. eXoPlatform is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.

[Mike Samuel]

No.  The sanitizer strips all comments since comments are often used by obscure and relatively poorly tested browser features to carry code.

What's in these comments that you need to preserve?

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Khemais Menzli]

Le vendredi 16 septembre 2016 18:57:56 UTC+1, Mike Samuel a écrit :

No.  The sanitizer strips all comments since comments are often used by obscure and relatively poorly tested browser features to carry code.

What's in these comments that you need to preserve?

In my platform we used a wiki module (based on xwiki syntax) in which comment are required

Why not having an option to enable/desable stiping comment based on the context where the sanitier is running?   

[Mike Samuel]

On Wed, Sep 21, 2016 at 5:34 AM, Khemais Menzli <kme...@exoplatform.com> wrote:

Le vendredi 16 septembre 2016 18:57:56 UTC+1, Mike Samuel a écrit :

No.  The sanitizer strips all comments since comments are often used by obscure and relatively poorly tested browser features to carry code.

What's in these comments that you need to preserve?

In my platform we used a wiki module (based on xwiki syntax) in which comment are required

Why not having an option to enable/desable stiping comment based on the context where the sanitier is running?

If untrusted users are authoring wiki content, can you run the sanitizer on the output of the wiki->html converter.

We don't have an option to disable comment stripping because not stripping comments is potentially dangerous.

[Khemais Menzli]

khemais menzli / PreSales Director 
kme...@exoplatform.com / (216) 28 71 47 24

eXo Platform 
Tunisia 
http://www.exoplatform.com

  

This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. eXoPlatform is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.

On Wed, Sep 21, 2016 at 3:26 PM, Mike Samuel <mikes...@gmail.com> wrote:

On Wed, Sep 21, 2016 at 5:34 AM, Khemais Menzli <kme...@exoplatform.com> wrote:

Le vendredi 16 septembre 2016 18:57:56 UTC+1, Mike Samuel a écrit :

No.  The sanitizer strips all comments since comments are often used by obscure and relatively poorly tested browser features to carry code.

What's in these comments that you need to preserve?

In my platform we used a wiki module (based on xwiki syntax) in which comment are required

Why not having an option to enable/desable stiping comment based on the context where the sanitier is running?

If untrusted users are authoring wiki content, can you run the sanitizer on the output of the wiki->html converter.

Sounds good, I'll use it 

[Mike Samuel]

On Wed, Sep 21, 2016 at 8:24 AM, Khemais Menzli <kme...@exoplatform.com> wrote:
>
>
> khemais menzli / PreSales Director
> kme...@exoplatform.com / (216) 28 71 47 24

>> If untrusted users are authoring wiki content, can you run the sanitizer
>> on the output of the wiki->html converter.
>
> Sounds good, I'll use it

Yeah. If you sanitize wiki text instead of HTML, then the wiki->html
converter is in your TCB (
https://en.wikipedia.org/wiki/Trusted_computing_base ) which is
probably not ideal.