scriptProtect doesn't filter out tag on* attributes

Description

this.scriptprotect="all"; only invalidates tags, but not dangerous attributes like onclick, onload, onerror etc, etc

https://docs.lucee.org/reference/tags/application.html#attribute-scriptprotect

scriptProtect should be updated to strip any on* attributes, perhaps using jsoup (which is already supports osgi)

https://github.com/jhy/jsoup/

https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

or

https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/security/ScriptProtect.java

any html tag should have any an on* attributes automatically stripped out or invalidAttribute added, when scriptProtect is enabled

it would be good to expose this as a BIF too, i.e. getSafeHtml()

https://dev.lucee.org/t/would-it-make-sense-to-add-a-tag-function-to-validate-and-or-sanitize-html-input-to-lucee/1253

Environment

None

Assignee

Unassigned

Reporter

Zac Spitzer

Priority

New

Fix versions

None

Affects versions

Configure