HDIV does not exclude params from validation

Question

I am using HDIV 2.1.9 with spring and I have the following config

<hdiv:paramsWithoutValidation>
      <hdiv:mapping url="/secured/content/*." parameters="data"/>
</hdiv:paramsWithoutValidation>

Under /secured/content/ URL i have a lot of pages with input text areas with name data that are used to store content from html jscript editors (sumernote). The HDIV does not exclude the data parameter from posts and every time I try to save the html data the hdiv access exception produced.

How can I configure the HDIV correctly to exclude the data input from validation? It would be great if there is any option for HDIV to allow safe html text from editors ( without script tags or other dangerous xss code ). It is not very flexible to produce HDIV violation even for inline style tags produced by jscript editors. A modern web app almost always contain a text area that allow basic html code.

score 0 · Answer 1 · answered Apr 11 '15 at 10:43

You are disabled Integrity validation in these 'data' parameters but not the Editable validation.

Find the doc here: http://www.hdiv.org/hdiv-documentation-single/doc.html#configuration-editabledata

You have to add this config option to disable all validation rules for the given parameters:

<hdiv:editableValidations>
    <hdiv:validationRule url="/secured/content/.*" parameters="data" enableDefaults="false"></hdiv:validationRule>
    More rules...
</hdiv:editableValidations>

HDIV does not exclude params from validation

1 Answers1