HTML sanitization for all displayed XHTML data content
As Jens,
I want that the DE applies a HTML sanitization over any displayed data-owner-defined XHTML information that provides the DSD annotation of type 'LAYOUT_XHTML',
So that the end-user is protected from injection of malicious code and app-breaking styles or scripts.
Functional specifications
An HTML sanitization, such as this, should be applied using default/standard settings for allowed/disallowed HTML features of the tool used, e.g. for link types, images, etc. The list of allowed/disallowed html features must then be configurable/overwritable in the DE config per DE scope.
The data-owner-defined XHTML information includes:
- any displayed observation values
- any displayed attribute values
- any displayed referential metadata values
- any descriptions (dataflow, concepts, codes)
A new SDMX annotation at DSD level, indicates that the values of the listed components (OBS_VALUE or attributes) are to be displayed as HTML and are to be sanitized. the annotation format is :
<common:Annotation>
<common:AnnotationTitle>OBS_VALUE,NOTES</common:AnnotationTitle>
<common:AnnotationType>LAYOUT_XHTML</common:AnnotationType>
</common:Annotation>
Examples
- any displayed observation values: https://de-qa.siscc.org/vis?lc=en&df%5Bds%5D=qa%3Astable&df%5Bid%5D=QDD_TEST_DF&df%5Bag%5D=QDD_TEST&df%5Bvs%5D=1.0&av=true&pd=%2C&dq=..
- any displayed attribute values: https://de-qa.siscc.org/vis?lc=en&df[ds]=qa%3Astable&df[id]=DF_JENS_DAILY&df[ag]=UNSD&df[vs]=1.0&av=true&pd=2015-01-01%2C2020-02-02&dq=D..............
- any displayed referential metadata values: https://de-qa.siscc.org/vis?lc=en&df[ds]=qa%3Astable&df[id]=MILLED_RICE&df[ag]=TN1&df[vs]=1.0&av=true&pd=2015%2C2018&dq=..A, https://de-qa.siscc.org/vis?lc=en&df[ds]=qa%3Astable&df[id]=SNA_TABLE1&df[ag]=OECD&df[vs]=1.0&av=true&pd=2015%2C2020&dq=..
- any descriptions (dataflow, concepts, codes): https://de-qa.siscc.org/vis?lc=en&df[ds]=qa%3Astable&df[id]=MILLED_RICE&df[ag]=TN1&df[vs]=1.0&av=true&pd=2015%2C2018&dq=..A, https://de-qa.siscc.org/?lc=en&tm=Proportion%20of%20children%20engaged%20in%20economic%20activity&pg=0