8.2.1 "Html was modified by sanitizer"

Forum to discuss the Web client version of Servoy.

8.2.1 "Html was modified by sanitizer"

Postby bcusick » Fri Oct 20, 2017 6:44 pm

So... ummmm... I'm testing our legacy (7.4.10) Web Client applications in 8.2.1 - and I keep getting this:
Code: Select all
WARN com.servoy.j2db.util.Debug - Html was modified by sanitizer:
Original html: '<html><head></head><body><a href="javascript:adminPopMenu()">Admin <span class='caret'></span></a> | <a href="javascript: nav_reports()">Reports</a> | <a href="javascript: nav_myInfo()">My Info</a> | <a href="javascript: nav_logOut()">Sign Out</a></body></html>',
Sanitized html: '<html>
<head></head>
<body>
  <a href="javascript:adminPopMenu()">Admin <span class="caret"></span></a> |
  <a href="javascript: nav_reports()">Reports</a> |
  <a href="javascript: nav_myInfo()">My Info</a> |
  <a href="javascript: nav_logOut()">Sign Out</a>
</body>
</html>'


OK - so from what I could tell - it just re-wrapped it to make it pretty - no big deal.

HOWEVER, when it's rendered in Chrome - NONE of the links work! Basically re-writes my HTML to TAKE OUT all of my anchor links where I trigger a method:

html_rewrite_error.jpg


Is there a setting or something I'm missing?

This is on my DEVELOPMENT machine - using Servoy Developer:

Servoy version 8.2.1 -releaseNumber 3105
Port used by RMI Registry: 1099
Repository version 49

java.vm.name=Java HotSpot(TM) 64-Bit Server VM
java.version=1.8.0_151
java.vm.info=mixed mode
java.vm.vendor=Oracle Corporation

os.name=Windows 10
os.version=10.0
You do not have the required permissions to view the files attached to this post.
Bob Cusick
bcusick
 
Posts: 1226
Joined: Wed Apr 23, 2003 11:27 pm
Location: Thousand Oaks, CA USA

Re: 8.2.1 "Html was modified by sanitizer"

Postby patrick » Fri Oct 20, 2017 7:26 pm

This is a security measure that was introduced with I think 8.0. See here: https://wiki.servoy.com/pages/viewpage. ... d=23397000

You can turn this off globally in servoy-admin, first setting "servoy.clientTrustDataAsHtml", although that is not recommended.
Patrick Ruhsert
Servoy DACH
patrick
 
Posts: 3654
Joined: Wed Jun 11, 2003 10:33 am
Location: Munich, Germany

Re: 8.2.1 "Html was modified by sanitizer"

Postby ROCLASI » Fri Oct 20, 2017 7:29 pm

Hi Bob,

I haven't tested if this makes any difference but use
Code: Select all
javascript:methodName()

instead of
Code: Select all
javascript: methodName()

Notice the space after javascript:


Hope this helps.


Edit: I guess it's the XSS protection in 8.x
Robert Ivens
ROCLASI Software Solutions / JBS Group, Partner
SAN Developer / Servoy Valued Professional / Servoy Certified Developer
Twitter: @roclasi / @servoyforge
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5285
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: 8.2.1 "Html was modified by sanitizer"

Postby bcusick » Fri Oct 20, 2017 10:41 pm

Hey Robert: Taking out the space did NOT fix it.

Patrick: OK, I see that I can do it per element - that will work for now (but is sort of a pain-in-the-ass to go through all the places it's used).

I APPRECIATE both of your quick responses!
Bob Cusick
bcusick
 
Posts: 1226
Joined: Wed Apr 23, 2003 11:27 pm
Location: Thousand Oaks, CA USA


Return to Servoy Web Client

Who is online

Users browsing this forum: No registered users and 5 guests