azure-ad-b2c - Why is Azure AD B2C restricting the use of the 'for' attribute in custom UIs?

问题描述

Does anyone know why the sanitizerPolicy applied by B2C does not have the for attribute listed within the allowedAttributes list or if it's possible to modify the policy? I cannot think of any real vulnerability with allowing use of that attribute but instead it's stripped by the HTML sanitization of the HTML retrieved from the custom UI source. There is very little documentation to be found on the sanitizerPolicy.

The sanitizerPolicy is complex property contained within the SETTINGS JavaScript object which is injected by the Expression framework (so B2C itself) into the B2C UI and used when loading remote content (e.g. custom UI HTML and CSS) for a specific content definition. The injected settings are then applied by JavaScript functions (e.g. sanitizeHTML) which are also injected by default by the Expression Framework. The functions and settings are used to restrict the HTML being served by the remote source (via the LoadUri property of the ContentDefinition in the Expression Framework). There is little or no documentation on this so no useful links can be provided

The current allowedAttribute array within the sanitizerPolicy is as follows: ['id', 'class', 'href', 'name', 'data-*', 'aria-*', 'type', 'lang', 'src', 'sizes', 'role', 'placeholder', 'title', 'width', 'height', 'style']

Context: My use case is that I would like to have a password policy toggle purely in CSS which makes use of a hidden checkbox and a label bound to the checkbox using the for attribute but alas no binding as the forattribute is stripped from the label element by the sanizterPolicy upon rendering my custom ui.

There is a closed GitHub issue relating to a request to add proper documentation on this functionality. The location of that documentation is unknown nor is any link to other open tasks to delivery same provided.

标签： azure-ad-b2c