Burp Suite User Forum

Login to post

Burp Suit Professional 2022.3.1 is not supporting HTML tag

Aditi | Last updated: Apr 11, 2022 11:43AM UTC

Hi team, We have one extension in which we have used HTML tags at different places to add color, font and other html features. Our extension was working fine with Burp Suite 2022.2.4 but after we upgraded to the newer versions (2022.3.1, 2022.3.2, 2022.3.3) Our extension has started showing HTML as text. That means newer versions of Burp isn't supporting HTML. Our extension is working well with standalone java and older/stable version of Burp Suite but not properly with newer versions. This is just a part of code snippet where we have used HTML DefaultMutableTreeNode topLevelNode = new DefaultMutableTreeNode("<html><font color=\"red\">"+BurpExtender.selectedComponentName +"</font></html>"); topLevelNode.setUserObject("<html><font color=\"red\">"+BurpExtender.selectedComponentName +"</font></html>"); Expected output:- Change Password(in red color) Actual output coming with newer versions (2022.3.1, 2022.3.2, 2022.3.3 <html><font color="red">Change Password</font></html>" Kindly provide HTML support in latest versions of Burp Suite.

Hannah, PortSwigger Agent | Last updated: Apr 11, 2022 12:48PM UTC

Hi

HTML rendering in Swing components has been disabled as a security measure in version 2022.3 and above.

If you'd like to enable it on specific components, you will need to add the following to your code:
<SwingComponentHere>.putClientProperty("html.disable", null);

Please let us know if you need any further assistance.

Antonio | Last updated: Jul 31, 2022 05:25PM UTC

Hi, this is a real inconvenience for an extension I am creating. I fail to understand how, if individual elements can disable this protection, is this going to increase the security, if an extension developer can just disable it for all elements in his extension? In any case, the provided solution works for me for elements like buttons and labels, but it doesn't work for JTable cells. Some googling made me think that I need to look into cell renderers, but this is going to take me some time to figure out. I would appreciate some hints on how to re enable html rendering for JTable cells on Jython. Also, including this lines doesn't break the extension for the older versions of burp, when this wasn't needed, right? Thank you!

Hannah, PortSwigger Agent | Last updated: Aug 01, 2022 03:03PM UTC

Hi The aim is to make extensions secure by default. You cannot disable this on a global level for all elements, it needs to be explicitly disabled on a specific component. As mentioned before, this was done as a security measure. You can find more information on this in our release notes here: https://portswigger.net/burp/releases/professional-community-2022-2-3?requestededition=professional We've been through older extensions and manually updated them so that the changes did not cause any issues for the extensions.

aditi | Last updated: Aug 26, 2022 05:37AM UTC

Hannah, Thanks for the solution it worked for me.

You need to Log in to post a reply. Or register here, for free.