Restriction Enhancement for HTML Format in Content via REST

[bryanboza]

Problem Statement

Currently, dotCMS allows HTML format to be set in content added via REST without proper restrictions. This poses a security risk and may lead to unintended consequences such as cross-site scripting (XSS) vulnerabilities. There is a need to enhance the system to restrict or validate HTML input more effectively.

Steps to Reproduce

• Use the REST API to add or update content.
• Include HTML content, scripts, or potentially malicious code in the input fields.
• Observe that the HTML content is accepted without proper validation, posing a security risk.

Acceptance Criteria

• HTML Validation: Enhance the dotCMS system to validate HTML input more effectively when content is added via REST.
• Restrictions on Unsafe Tags: Restrict or filter out unsafe HTML tags, scripts, and potentially malicious code to prevent security vulnerabilities.
• User-Friendly Error Handling: Provide clear and user-friendly error messages when the input violates HTML format restrictions.

dotCMS Version

Tested on master // Docker // FF

Proposed Objective

Quality Assurance

Proposed Priority

Priority 1 - Show Stopper