Fix(request sanitizer): add possibility to define excluded parameters

Add property to list of attributes excluded from sanitizer protection when the property is not set in security-config.properties Relates to PR 1063 for bonita-web-sp Relates to [CVE-58](https://bonitasoft.atlassian.net/browse/CVE-58)
bonitasoft · Jan 18, 2024 · 26b2469 · 26b2469
1 parent c4e4a2d
commit 26b2469
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/platform/platform-resources/src/main/resources/platform_portal/security-config.properties b/platform/platform-resources/src/main/resources/platform_portal/security-config.properties
@@ -1,7 +1,9 @@
-#Enable/disable the Sanitizer protection activation. This sanitizer protects against multiple attacks such as XSS, but may restrict the use of some character sequences.
-security.sanitizer.enabled true
 #Enable/disable CSRF security filter
 security.csrf.enabled true
+#Enable/disable the Sanitizer protection activation. This sanitizer protects against multiple attacks such as XSS, but may restrict the use of some character sequences.
+security.sanitizer.enabled true
+#Name of the Attributes excluded from sanitizer protection (comma separated)
+security.sanitizer.exclude email,password,password_confirm
 #Add  or not the secure flag to the CSRF token cookie (HTTPS only)
 security.csrf.cookie.secure false
 #X-Frame-Options response header value