Body

The Problem

The problem is described in Pat Nolan's blog Usage of the webclient.richtext.sanitize property https://www.ibm.com/developerworks/community/blogs/a9ba1efe-b731-4317-9724-a181d6155e3a/entry/Usage_of_the_webclient_richtext_sanitize_property?lang=en and elsewhere.

We now have to choose between enabling the cross-site scripting (XSS) protection in Rich Text Fields (webclient.richtext.sanitize = 1) OR being able to copy/paste images into Rich Text Fields (webclient.richtext.sanitize = 0)

I am not a security expert, so I can't comment on the real-world risk of disabling the XSS protection. Personally I would not want to have to turn off any security, but every client will have to form their own judgement.

A recent PMR drove me to find a way to do both (once again we can have our cake and eat it, which is great for solving problems, but not so good for the size of one's waist).

What's really going on?

The XSS protection filters the Rich Text using Open Source AntiSamy (some info can be fond here: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)

With Maximo, we supply a configuration file called sanitizePolicy.xml  which lives in ....IBM\SMP\maximo\applications\maximo\properties.

It's a little tricky to find the syntax for the configuration rules (called Directives). The best source that I could find was https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owaspantisamy/Developer%20Guide.pdf

If we look at sanitzePolicy.xml, we see (amongst other things)

<!-- Image & image related tags -->
        
        <tag name="img" action="validate">
            <attribute name="src" onInvalid="removeTag">
                <regexp-list>
                    <regexp name="onsiteURL"/>
                    <regexp name="offsiteURL"/>
                </regexp-list>
            </attribute>
            <attribute name="name"/>
            <attribute name="alt"/>
            <attribute name="height"/>
            <attribute name="width"/>
            <attribute name="border"/>
            <attribute name="align"/>
            
            <attribute name="hspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>
            </attribute>
            
            <attribute name="vspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>            
            </attribute>
        </tag>

This means that we will remove img tags when the src attribute don't correspond to regular expressions in sanitizePolicy.xml called onsiteURL or offsiteURL. We have found the smoking gun.

If we use Windows Print Screen and then try to paste the resulting image from the clipboard into the RTE, we get a tag like <img alt="" src="data:image/png;base64,xxxxxx" /> where xxxx is the image itself.

This doesn't match the regular expressions, so it's Game Over and the tag is removed.

Solution(s)

We need to modify the rule.

There are many ways to skin this cat. The best way will be a matter of business requirements and personal preference.

Here are 2 solutions that I have tested:

1) Remove the filter for <src> attribute

Replace the above with:

<!-- Image & image related tags -->
        
        <tag name="img" action="validate">
            <attribute name="src"/>
            <attribute name="name"/>
            <attribute name="alt"/>
            <attribute name="height"/>
            <attribute name="width"/>
            <attribute name="border"/>
            <attribute name="align"/>
            
            <attribute name="hspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>
            </attribute>
            
            <attribute name="vspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>            
            </attribute>
        </tag>

This allows the tag regardless of the value of the src attribute. Nice and simple, but maybe a bit too much?

2) Add a new regular expression to allow the image to be pasted

First add something like this between the <common-regexps> and </common-regexps> tags

<regexp name="pasteimage" value="data:image\/png;.*"/>

Then modify the rule for img tags to use the new regexp:

<!-- Image & image related tags -->
        
        <tag name="img" action="validate">
            <attribute name="src" onInvalid="removeTag">
                <regexp-list>
                    <regexp name="onsiteURL"/>
                    <regexp name="offsiteURL"/>
                    <regexp name="pasteimage"/>
                </regexp-list>
            </attribute>
            <attribute name="name"/>
            <attribute name="alt"/>
            <attribute name="height"/>
            <attribute name="width"/>
            <attribute name="border"/>
            <attribute name="align"/>
            
            <attribute name="hspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>
            </attribute>
            
            <attribute name="vspace">
                <regexp-list>
                    <regexp name="number"/>
                </regexp-list>            
            </attribute>
        </tag>

This keeps all of the original restrictions, but permits tags like <img alt="" src="data:image/png;...../>.

Maybe too restrictive because it won't allow .jpg or .gif, but that's easily addressed by modifying the above. I'll leave that as an exercise for the reader.

Reminder

A change to sanitizePolicy.xml requires a rebuild/redeploy of the maximo .ear file

Get Out Of Jail Free

The above are samples based on my testing and are presented on an AS-IS basis. Use and modify at your own cost/risk to suit your business requirements. Any concerns about the security impact should be addressed to your own expert.

Disclaimer

No cats were hurt while writing this blog.