Hi Jacques,
I am getting following exception on 14.12: {code} java.lang.NoClassDefFoundError: Could not initialize class org.owasp.html.Sanitizers [java] at org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354) ~[ofbiz-content.jar:?] [java] at org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343) ~[ofbiz-content.jar:?] [java] at org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355) ~[ofbiz-content.jar:?] [java] at freemarker.ext.beans.StringModel.getAsString(StringModel.java:61) ~[freemarker-2.3.22.jar:2.3.22] [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55) ~[freemarker-2.3.22.jar:2.3.22] [java] at freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340) ~[freemarker-2.3.22.jar:2.3.22] {code} Thanks & Regards -- Deepak Dixit www.hotwaxsystems.com On Tue, Oct 13, 2015 at 6:15 AM, <[hidden email]> wrote: > Author: jleroux > Date: Tue Oct 13 00:45:31 2015 > New Revision: 1708275 > > URL: http://svn.apache.org/viewvc?rev=1708275&view=rev > Log: > "Applied fix from trunk for revision: 1708274 " (handled conflicts on > .classpath by hand) > ------------------------------------------------------------------------ > r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1 > ligne > > Fix for ContentWorker at OFBIZ-6669. For that I have added > owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" > property in content.properties with some explanations. The reason I put > this property is because the sanitizer does some (safe) changes which might > be unwanted in a context where you are "sure" no one can inject/exploit > your DB, see the JIra issue for details. Note that this does not affect the > *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. > The reason we need the sanitizer here is because we are no only handling > content but also HTML code... > ------------------------------------------------------------------------ > > > Added: > > ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar > - copied unchanged from r1708274, > ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar > Modified: > ofbiz/branches/release14.12/ (props changed) > ofbiz/branches/release14.12/.classpath > ofbiz/branches/release14.12/LICENSE > > ofbiz/branches/release14.12/applications/content/config/content.properties > > ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java > > ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml > > Propchange: ofbiz/branches/release14.12/ > > ------------------------------------------------------------------------------ > --- svn:mergeinfo (original) > +++ svn:mergeinfo Tue Oct 13 00:45:31 2015 > @@ -8,4 +8,4 @@ > /ofbiz/branches/json-integration-refactoring:1634077-1635900 > /ofbiz/branches/multitenant20100310:921280-927264 > /ofbiz/branches/release13.07:1547657 > > -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, > > 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 > 77,1706591,1706694,1707837,1707857 > > +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, > > 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 > 77,1706591,1706694,1707837,1707857,1708274 > > Modified: ofbiz/branches/release14.12/.classpath > URL: > http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff > > ============================================================================== > --- ofbiz/branches/release14.12/.classpath (original) > +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015 > @@ -41,6 +41,7 @@ > <classpathentry kind="lib" > path="framework/base/lib/log4j-api-2.3.jar"/> > <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/> > <classpathentry kind="lib" > path="framework/base/lib/nekohtml-1.9.16.jar"/> > + <classpathentry kind="lib" > path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/> > <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/> > <classpathentry kind="lib" > path="framework/base/lib/resolver-2.9.1.jar"/> > <classpathentry kind="lib" > path="framework/base/lib/serializer-2.9.1.jar"/> > > Modified: ofbiz/branches/release14.12/LICENSE > URL: > http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff > > ============================================================================== > --- ofbiz/branches/release14.12/LICENSE (original) > +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015 > @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations > framework/base/lib/j2eespecs/el-api-2.2.jar > framework/base/lib/j2eespecs/jsp-api-2.2.jar > framework/base/lib/j2eespecs/servlet-api-3.0.jar > +framework/base/lib/owasp-java-html-sanitizer-r239.jar > framework/base/lib/scripting/bsf-2.4.0.jar > framework/base/lib/scripting/jakarta-oro-2.0.8.jar > framework/base/lib/scripting/groovy-all-2.2.1.jar > > Modified: > ofbiz/branches/release14.12/applications/content/config/content.properties > URL: > http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff > > ============================================================================== > --- > ofbiz/branches/release14.12/applications/content/config/content.properties > (original) > +++ > ofbiz/branches/release14.12/applications/content/config/content.properties > Tue Oct 13 00:45:31 2015 > @@ -35,3 +35,7 @@ content.upload.always.local.file=true > > # content output folder (relative to ofbiz.home) > content.output.path=runtime/output > + > +#Should we sanitize generic content by default (specific contents - > order, party, category, product, configured product, product promo and work > effort - are always encoded) > +# This has a slightly impact on the code rendered, see . True By default! > +content.sanitize=true > > Modified: > ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java > URL: > http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff > > ============================================================================== > --- > ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java > (original) > +++ > ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java > Tue Oct 13 00:45:31 2015 > @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity > import org.ofbiz.entity.condition.EntityOperator; > import org.ofbiz.entity.util.EntityQuery; > import org.ofbiz.entity.util.EntityUtil; > +import org.ofbiz.entity.util.EntityUtilProperties; > import org.ofbiz.minilang.MiniLangException; > import org.ofbiz.minilang.SimpleMapProcessor; > import org.ofbiz.service.DispatchContext; > @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE > import org.ofbiz.service.LocalDispatcher; > import org.ofbiz.service.ModelService; > import org.ofbiz.service.ServiceUtil; > +import org.owasp.html.PolicyFactory; > +import org.owasp.html.Sanitizers; > import org.xml.sax.InputSource; > import org.xml.sax.SAXException; > > @@ -335,7 +338,23 @@ public class ContentWorker implements or > Locale locale, String mimeTypeId, boolean cache) throws > GeneralException, IOException { > Writer writer = new StringWriter(); > renderContentAsText(dispatcher, delegator, contentId, writer, > templateContext, locale, mimeTypeId, null, null, cache); > - return writer.toString(); > + String rendered = writer.toString(); > + // According to > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary > + // Normally head should be protected by X-XSS-Protection Response > Header by default > + if > (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties", > "content.sanitize", "true", delegator) > + && (rendered.contains("<script>") > + || rendered.contains("<!--") > + || rendered.contains("<div") > + || rendered.contains("<style>") > + || rendered.contains("<span") > + || rendered.contains("<input") > + || rendered.contains("<input") > + || rendered.contains("<iframe") > + || rendered.contains("<a"))) { > + PolicyFactory sanitizer = > Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES); > + rendered = sanitizer.sanitize(rendered); > + } > + return rendered; > } > > public static String renderContentAsText(LocalDispatcher dispatcher, > Delegator delegator, String contentId, Appendable out, > > Modified: > ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml > URL: > http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff > > ============================================================================== > --- > ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml > (original) > +++ > ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml > Tue Oct 13 00:45:31 2015 > @@ -78,7 +78,7 @@ under the License. > <p> > This is a site to demonstrate the CMS capabilities of > OFBiz. Its basic function is the editing of website text > inside a browser. If you want to edit the text you are > reading now, logon to the backend system, select the content component > - click on 'cmssite' in the website list and ten click on the > 'cms' button. There you see on the left hand side the tree of this website. > + click on 'cmssite' in the website list and then click on > the 'cms' button. There you see on the left hand side the tree of this > website. > If you click on 'homepage' then you can edit the content of > this page at the box in the r > </p> > <p> > > > |
Administrator
|
Hi Deepak
Indeed something is not working in R14.12, I don't see any missing dependencies (it compiles w/o issues), I'll have a nook, thanks! Jacques Le 13/10/2015 13:50, Deepak Dixit a écrit : > Hi Jacques, > > I am getting following exception on 14.12: > > {code} > java.lang.NoClassDefFoundError: Could not initialize class > org.owasp.html.Sanitizers > [java] at > org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354) > ~[ofbiz-content.jar:?] > [java] at > org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343) > ~[ofbiz-content.jar:?] > [java] at > org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355) > ~[ofbiz-content.jar:?] > [java] at > freemarker.ext.beans.StringModel.getAsString(StringModel.java:61) > ~[freemarker-2.3.22.jar:2.3.22] > [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55) > ~[freemarker-2.3.22.jar:2.3.22] > [java] at > freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340) > ~[freemarker-2.3.22.jar:2.3.22] > > {code} > > Thanks & Regards > -- > Deepak Dixit > www.hotwaxsystems.com > > On Tue, Oct 13, 2015 at 6:15 AM, <[hidden email]> wrote: > >> Author: jleroux >> Date: Tue Oct 13 00:45:31 2015 >> New Revision: 1708275 >> >> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev >> Log: >> "Applied fix from trunk for revision: 1708274 " (handled conflicts on >> .classpath by hand) >> ------------------------------------------------------------------------ >> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1 >> ligne >> >> Fix for ContentWorker at OFBIZ-6669. For that I have added >> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" >> property in content.properties with some explanations. The reason I put >> this property is because the sanitizer does some (safe) changes which might >> be unwanted in a context where you are "sure" no one can inject/exploit >> your DB, see the JIra issue for details. Note that this does not affect the >> *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. >> The reason we need the sanitizer here is because we are no only handling >> content but also HTML code... >> ------------------------------------------------------------------------ >> >> >> Added: >> >> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar >> - copied unchanged from r1708274, >> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar >> Modified: >> ofbiz/branches/release14.12/ (props changed) >> ofbiz/branches/release14.12/.classpath >> ofbiz/branches/release14.12/LICENSE >> >> ofbiz/branches/release14.12/applications/content/config/content.properties >> >> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >> >> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >> >> Propchange: ofbiz/branches/release14.12/ >> >> ------------------------------------------------------------------------------ >> --- svn:mergeinfo (original) >> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015 >> @@ -8,4 +8,4 @@ >> /ofbiz/branches/json-integration-refactoring:1634077-1635900 >> /ofbiz/branches/multitenant20100310:921280-927264 >> /ofbiz/branches/release13.07:1547657 >> >> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >> >> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >> 77,1706591,1706694,1707837,1707857 >> >> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >> >> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >> 77,1706591,1706694,1707837,1707857,1708274 >> >> Modified: ofbiz/branches/release14.12/.classpath >> URL: >> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff >> >> ============================================================================== >> --- ofbiz/branches/release14.12/.classpath (original) >> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015 >> @@ -41,6 +41,7 @@ >> <classpathentry kind="lib" >> path="framework/base/lib/log4j-api-2.3.jar"/> >> <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/> >> <classpathentry kind="lib" >> path="framework/base/lib/nekohtml-1.9.16.jar"/> >> + <classpathentry kind="lib" >> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/> >> <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/> >> <classpathentry kind="lib" >> path="framework/base/lib/resolver-2.9.1.jar"/> >> <classpathentry kind="lib" >> path="framework/base/lib/serializer-2.9.1.jar"/> >> >> Modified: ofbiz/branches/release14.12/LICENSE >> URL: >> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff >> >> ============================================================================== >> --- ofbiz/branches/release14.12/LICENSE (original) >> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015 >> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations >> framework/base/lib/j2eespecs/el-api-2.2.jar >> framework/base/lib/j2eespecs/jsp-api-2.2.jar >> framework/base/lib/j2eespecs/servlet-api-3.0.jar >> +framework/base/lib/owasp-java-html-sanitizer-r239.jar >> framework/base/lib/scripting/bsf-2.4.0.jar >> framework/base/lib/scripting/jakarta-oro-2.0.8.jar >> framework/base/lib/scripting/groovy-all-2.2.1.jar >> >> Modified: >> ofbiz/branches/release14.12/applications/content/config/content.properties >> URL: >> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff >> >> ============================================================================== >> --- >> ofbiz/branches/release14.12/applications/content/config/content.properties >> (original) >> +++ >> ofbiz/branches/release14.12/applications/content/config/content.properties >> Tue Oct 13 00:45:31 2015 >> @@ -35,3 +35,7 @@ content.upload.always.local.file=true >> >> # content output folder (relative to ofbiz.home) >> content.output.path=runtime/output >> + >> +#Should we sanitize generic content by default (specific contents - >> order, party, category, product, configured product, product promo and work >> effort - are always encoded) >> +# This has a slightly impact on the code rendered, see . True By default! >> +content.sanitize=true >> >> Modified: >> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >> URL: >> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff >> >> ============================================================================== >> --- >> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >> (original) >> +++ >> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >> Tue Oct 13 00:45:31 2015 >> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity >> import org.ofbiz.entity.condition.EntityOperator; >> import org.ofbiz.entity.util.EntityQuery; >> import org.ofbiz.entity.util.EntityUtil; >> +import org.ofbiz.entity.util.EntityUtilProperties; >> import org.ofbiz.minilang.MiniLangException; >> import org.ofbiz.minilang.SimpleMapProcessor; >> import org.ofbiz.service.DispatchContext; >> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE >> import org.ofbiz.service.LocalDispatcher; >> import org.ofbiz.service.ModelService; >> import org.ofbiz.service.ServiceUtil; >> +import org.owasp.html.PolicyFactory; >> +import org.owasp.html.Sanitizers; >> import org.xml.sax.InputSource; >> import org.xml.sax.SAXException; >> >> @@ -335,7 +338,23 @@ public class ContentWorker implements or >> Locale locale, String mimeTypeId, boolean cache) throws >> GeneralException, IOException { >> Writer writer = new StringWriter(); >> renderContentAsText(dispatcher, delegator, contentId, writer, >> templateContext, locale, mimeTypeId, null, null, cache); >> - return writer.toString(); >> + String rendered = writer.toString(); >> + // According to >> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary >> + // Normally head should be protected by X-XSS-Protection Response >> Header by default >> + if >> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties", >> "content.sanitize", "true", delegator) >> + && (rendered.contains("<script>") >> + || rendered.contains("<!--") >> + || rendered.contains("<div") >> + || rendered.contains("<style>") >> + || rendered.contains("<span") >> + || rendered.contains("<input") >> + || rendered.contains("<input") >> + || rendered.contains("<iframe") >> + || rendered.contains("<a"))) { >> + PolicyFactory sanitizer = >> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES); >> + rendered = sanitizer.sanitize(rendered); >> + } >> + return rendered; >> } >> >> public static String renderContentAsText(LocalDispatcher dispatcher, >> Delegator delegator, String contentId, Appendable out, >> >> Modified: >> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff >> >> ============================================================================== >> --- >> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >> (original) >> +++ >> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >> Tue Oct 13 00:45:31 2015 >> @@ -78,7 +78,7 @@ under the License. >> <p> >> This is a site to demonstrate the CMS capabilities of >> OFBiz. Its basic function is the editing of website text >> inside a browser. If you want to edit the text you are >> reading now, logon to the backend system, select the content component >> - click on 'cmssite' in the website list and ten click on the >> 'cms' button. There you see on the left hand side the tree of this website. >> + click on 'cmssite' in the website list and then click on >> the 'cms' button. There you see on the left hand side the tree of this >> website. >> If you click on 'homepage' then you can edit the content of >> this page at the box in the r >> </p> >> <p> >> >> >> |
Administrator
|
It's fixed at revision: 1708471
Jacques Le 13/10/2015 17:36, Jacques Le Roux a écrit : > Hi Deepak > > Indeed something is not working in R14.12, I don't see any missing dependencies (it compiles w/o issues), I'll have a look, thanks! > > Jacques > > Le 13/10/2015 13:50, Deepak Dixit a écrit : >> Hi Jacques, >> >> I am getting following exception on 14.12: >> >> {code} >> java.lang.NoClassDefFoundError: Could not initialize class >> org.owasp.html.Sanitizers >> [java] at >> org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354) >> ~[ofbiz-content.jar:?] >> [java] at >> org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343) >> ~[ofbiz-content.jar:?] >> [java] at >> org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355) >> ~[ofbiz-content.jar:?] >> [java] at >> freemarker.ext.beans.StringModel.getAsString(StringModel.java:61) >> ~[freemarker-2.3.22.jar:2.3.22] >> [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55) >> ~[freemarker-2.3.22.jar:2.3.22] >> [java] at >> freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340) >> ~[freemarker-2.3.22.jar:2.3.22] >> >> {code} >> >> Thanks & Regards >> -- >> Deepak Dixit >> www.hotwaxsystems.com >> >> On Tue, Oct 13, 2015 at 6:15 AM, <[hidden email]> wrote: >> >>> Author: jleroux >>> Date: Tue Oct 13 00:45:31 2015 >>> New Revision: 1708275 >>> >>> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev >>> Log: >>> "Applied fix from trunk for revision: 1708274 " (handled conflicts on >>> .classpath by hand) >>> ------------------------------------------------------------------------ >>> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1 >>> ligne >>> >>> Fix for ContentWorker at OFBIZ-6669. For that I have added >>> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" >>> property in content.properties with some explanations. The reason I put >>> this property is because the sanitizer does some (safe) changes which might >>> be unwanted in a context where you are "sure" no one can inject/exploit >>> your DB, see the JIra issue for details. Note that this does not affect the >>> *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. >>> The reason we need the sanitizer here is because we are no only handling >>> content but also HTML code... >>> ------------------------------------------------------------------------ >>> >>> >>> Added: >>> >>> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar >>> - copied unchanged from r1708274, >>> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar >>> Modified: >>> ofbiz/branches/release14.12/ (props changed) >>> ofbiz/branches/release14.12/.classpath >>> ofbiz/branches/release14.12/LICENSE >>> >>> ofbiz/branches/release14.12/applications/content/config/content.properties >>> >>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>> >>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>> >>> Propchange: ofbiz/branches/release14.12/ >>> >>> ------------------------------------------------------------------------------ >>> --- svn:mergeinfo (original) >>> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015 >>> @@ -8,4 +8,4 @@ >>> /ofbiz/branches/json-integration-refactoring:1634077-1635900 >>> /ofbiz/branches/multitenant20100310:921280-927264 >>> /ofbiz/branches/release13.07:1547657 >>> >>> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >>> >>> >>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >>> 77,1706591,1706694,1707837,1707857 >>> >>> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >>> >>> >>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >>> 77,1706591,1706694,1707837,1707857,1708274 >>> >>> Modified: ofbiz/branches/release14.12/.classpath >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff >>> >>> ============================================================================== >>> --- ofbiz/branches/release14.12/.classpath (original) >>> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015 >>> @@ -41,6 +41,7 @@ >>> <classpathentry kind="lib" >>> path="framework/base/lib/log4j-api-2.3.jar"/> >>> <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/> >>> <classpathentry kind="lib" >>> path="framework/base/lib/nekohtml-1.9.16.jar"/> >>> + <classpathentry kind="lib" >>> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/> >>> <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/> >>> <classpathentry kind="lib" >>> path="framework/base/lib/resolver-2.9.1.jar"/> >>> <classpathentry kind="lib" >>> path="framework/base/lib/serializer-2.9.1.jar"/> >>> >>> Modified: ofbiz/branches/release14.12/LICENSE >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff >>> >>> ============================================================================== >>> --- ofbiz/branches/release14.12/LICENSE (original) >>> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015 >>> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations >>> framework/base/lib/j2eespecs/el-api-2.2.jar >>> framework/base/lib/j2eespecs/jsp-api-2.2.jar >>> framework/base/lib/j2eespecs/servlet-api-3.0.jar >>> +framework/base/lib/owasp-java-html-sanitizer-r239.jar >>> framework/base/lib/scripting/bsf-2.4.0.jar >>> framework/base/lib/scripting/jakarta-oro-2.0.8.jar >>> framework/base/lib/scripting/groovy-all-2.2.1.jar >>> >>> Modified: >>> ofbiz/branches/release14.12/applications/content/config/content.properties >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff >>> >>> ============================================================================== >>> --- >>> ofbiz/branches/release14.12/applications/content/config/content.properties >>> (original) >>> +++ >>> ofbiz/branches/release14.12/applications/content/config/content.properties >>> Tue Oct 13 00:45:31 2015 >>> @@ -35,3 +35,7 @@ content.upload.always.local.file=true >>> >>> # content output folder (relative to ofbiz.home) >>> content.output.path=runtime/output >>> + >>> +#Should we sanitize generic content by default (specific contents - >>> order, party, category, product, configured product, product promo and work >>> effort - are always encoded) >>> +# This has a slightly impact on the code rendered, see . True By default! >>> +content.sanitize=true >>> >>> Modified: >>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff >>> >>> >>> ============================================================================== >>> --- >>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>> (original) >>> +++ >>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>> Tue Oct 13 00:45:31 2015 >>> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity >>> import org.ofbiz.entity.condition.EntityOperator; >>> import org.ofbiz.entity.util.EntityQuery; >>> import org.ofbiz.entity.util.EntityUtil; >>> +import org.ofbiz.entity.util.EntityUtilProperties; >>> import org.ofbiz.minilang.MiniLangException; >>> import org.ofbiz.minilang.SimpleMapProcessor; >>> import org.ofbiz.service.DispatchContext; >>> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE >>> import org.ofbiz.service.LocalDispatcher; >>> import org.ofbiz.service.ModelService; >>> import org.ofbiz.service.ServiceUtil; >>> +import org.owasp.html.PolicyFactory; >>> +import org.owasp.html.Sanitizers; >>> import org.xml.sax.InputSource; >>> import org.xml.sax.SAXException; >>> >>> @@ -335,7 +338,23 @@ public class ContentWorker implements or >>> Locale locale, String mimeTypeId, boolean cache) throws >>> GeneralException, IOException { >>> Writer writer = new StringWriter(); >>> renderContentAsText(dispatcher, delegator, contentId, writer, >>> templateContext, locale, mimeTypeId, null, null, cache); >>> - return writer.toString(); >>> + String rendered = writer.toString(); >>> + // According to >>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary >>> + // Normally head should be protected by X-XSS-Protection Response >>> Header by default >>> + if >>> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties", >>> "content.sanitize", "true", delegator) >>> + && (rendered.contains("<script>") >>> + || rendered.contains("<!--") >>> + || rendered.contains("<div") >>> + || rendered.contains("<style>") >>> + || rendered.contains("<span") >>> + || rendered.contains("<input") >>> + || rendered.contains("<input") >>> + || rendered.contains("<iframe") >>> + || rendered.contains("<a"))) { >>> + PolicyFactory sanitizer = >>> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES); >>> + rendered = sanitizer.sanitize(rendered); >>> + } >>> + return rendered; >>> } >>> >>> public static String renderContentAsText(LocalDispatcher dispatcher, >>> Delegator delegator, String contentId, Appendable out, >>> >>> Modified: >>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff >>> >>> ============================================================================== >>> --- >>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>> (original) >>> +++ >>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>> Tue Oct 13 00:45:31 2015 >>> @@ -78,7 +78,7 @@ under the License. >>> <p> >>> This is a site to demonstrate the CMS capabilities of >>> OFBiz. Its basic function is the editing of website text >>> inside a browser. If you want to edit the text you are >>> reading now, logon to the backend system, select the content component >>> - click on 'cmssite' in the website list and ten click on the >>> 'cms' button. There you see on the left hand side the tree of this website. >>> + click on 'cmssite' in the website list and then click on >>> the 'cms' button. There you see on the left hand side the tree of this >>> website. >>> If you click on 'homepage' then you can edit the content of >>> this page at the box in the r >>> </p> >>> <p> >>> >>> >>> > > |
Thanks Jacques.
Thanks & Regards -- Deepak Dixit www.hotwaxsystems.com On Tue, Oct 13, 2015 at 10:58 PM, Jacques Le Roux < [hidden email]> wrote: > It's fixed at revision: 1708471 > > Jacques > > > Le 13/10/2015 17:36, Jacques Le Roux a écrit : > >> Hi Deepak >> >> Indeed something is not working in R14.12, I don't see any missing >> dependencies (it compiles w/o issues), I'll have a look, thanks! >> >> >> Jacques >> >> Le 13/10/2015 13:50, Deepak Dixit a écrit : >> >>> Hi Jacques, >>> >>> I am getting following exception on 14.12: >>> >>> {code} >>> java.lang.NoClassDefFoundError: Could not initialize class >>> org.owasp.html.Sanitizers >>> [java] at >>> >>> org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354) >>> ~[ofbiz-content.jar:?] >>> [java] at >>> >>> org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343) >>> ~[ofbiz-content.jar:?] >>> [java] at >>> >>> org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355) >>> ~[ofbiz-content.jar:?] >>> [java] at >>> freemarker.ext.beans.StringModel.getAsString(StringModel.java:61) >>> ~[freemarker-2.3.22.jar:2.3.22] >>> [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55) >>> ~[freemarker-2.3.22.jar:2.3.22] >>> [java] at >>> freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340) >>> ~[freemarker-2.3.22.jar:2.3.22] >>> >>> {code} >>> >>> Thanks & Regards >>> -- >>> Deepak Dixit >>> www.hotwaxsystems.com >>> >>> On Tue, Oct 13, 2015 at 6:15 AM, <[hidden email]> wrote: >>> >>> Author: jleroux >>>> Date: Tue Oct 13 00:45:31 2015 >>>> New Revision: 1708275 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev >>>> Log: >>>> "Applied fix from trunk for revision: 1708274 " (handled conflicts on >>>> .classpath by hand) >>>> ------------------------------------------------------------------------ >>>> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1 >>>> ligne >>>> >>>> Fix for ContentWorker at OFBIZ-6669. For that I have added >>>> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" >>>> property in content.properties with some explanations. The reason I put >>>> this property is because the sanitizer does some (safe) changes which >>>> might >>>> be unwanted in a context where you are "sure" no one can inject/exploit >>>> your DB, see the JIra issue for details. Note that this does not affect >>>> the >>>> *ContentWrapper.java classes where we use OWASP encoding and not >>>> sanitizer. >>>> The reason we need the sanitizer here is because we are no only handling >>>> content but also HTML code... >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> Added: >>>> >>>> >>>> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar >>>> - copied unchanged from r1708274, >>>> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar >>>> Modified: >>>> ofbiz/branches/release14.12/ (props changed) >>>> ofbiz/branches/release14.12/.classpath >>>> ofbiz/branches/release14.12/LICENSE >>>> >>>> >>>> ofbiz/branches/release14.12/applications/content/config/content.properties >>>> >>>> >>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>>> >>>> >>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>>> >>>> Propchange: ofbiz/branches/release14.12/ >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> --- svn:mergeinfo (original) >>>> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015 >>>> @@ -8,4 +8,4 @@ >>>> /ofbiz/branches/json-integration-refactoring:1634077-1635900 >>>> /ofbiz/branches/multitenant20100310:921280-927264 >>>> /ofbiz/branches/release13.07:1547657 >>>> >>>> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >>>> >>>> >>>> >>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >>>> 77,1706591,1706694,1707837,1707857 >>>> >>>> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207, >>>> >>>> >>>> >>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065 >>>> 77,1706591,1706694,1707837,1707857,1708274 >>>> >>>> Modified: ofbiz/branches/release14.12/.classpath >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/branches/release14.12/.classpath (original) >>>> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015 >>>> @@ -41,6 +41,7 @@ >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/log4j-api-2.3.jar"/> >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/mail-1.5.1.jar"/> >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/nekohtml-1.9.16.jar"/> >>>> + <classpathentry kind="lib" >>>> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/> >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/esapi-2.1.0.jar"/> >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/resolver-2.9.1.jar"/> >>>> <classpathentry kind="lib" >>>> path="framework/base/lib/serializer-2.9.1.jar"/> >>>> >>>> Modified: ofbiz/branches/release14.12/LICENSE >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- ofbiz/branches/release14.12/LICENSE (original) >>>> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015 >>>> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations >>>> framework/base/lib/j2eespecs/el-api-2.2.jar >>>> framework/base/lib/j2eespecs/jsp-api-2.2.jar >>>> framework/base/lib/j2eespecs/servlet-api-3.0.jar >>>> +framework/base/lib/owasp-java-html-sanitizer-r239.jar >>>> framework/base/lib/scripting/bsf-2.4.0.jar >>>> framework/base/lib/scripting/jakarta-oro-2.0.8.jar >>>> framework/base/lib/scripting/groovy-all-2.2.1.jar >>>> >>>> Modified: >>>> >>>> ofbiz/branches/release14.12/applications/content/config/content.properties >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- >>>> >>>> ofbiz/branches/release14.12/applications/content/config/content.properties >>>> (original) >>>> +++ >>>> >>>> ofbiz/branches/release14.12/applications/content/config/content.properties >>>> Tue Oct 13 00:45:31 2015 >>>> @@ -35,3 +35,7 @@ content.upload.always.local.file=true >>>> >>>> # content output folder (relative to ofbiz.home) >>>> content.output.path=runtime/output >>>> + >>>> +#Should we sanitize generic content by default (specific contents - >>>> order, party, category, product, configured product, product promo and >>>> work >>>> effort - are always encoded) >>>> +# This has a slightly impact on the code rendered, see . True By >>>> default! >>>> +content.sanitize=true >>>> >>>> Modified: >>>> >>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- >>>> >>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>>> (original) >>>> +++ >>>> >>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java >>>> Tue Oct 13 00:45:31 2015 >>>> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity >>>> import org.ofbiz.entity.condition.EntityOperator; >>>> import org.ofbiz.entity.util.EntityQuery; >>>> import org.ofbiz.entity.util.EntityUtil; >>>> +import org.ofbiz.entity.util.EntityUtilProperties; >>>> import org.ofbiz.minilang.MiniLangException; >>>> import org.ofbiz.minilang.SimpleMapProcessor; >>>> import org.ofbiz.service.DispatchContext; >>>> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE >>>> import org.ofbiz.service.LocalDispatcher; >>>> import org.ofbiz.service.ModelService; >>>> import org.ofbiz.service.ServiceUtil; >>>> +import org.owasp.html.PolicyFactory; >>>> +import org.owasp.html.Sanitizers; >>>> import org.xml.sax.InputSource; >>>> import org.xml.sax.SAXException; >>>> >>>> @@ -335,7 +338,23 @@ public class ContentWorker implements or >>>> Locale locale, String mimeTypeId, boolean cache) throws >>>> GeneralException, IOException { >>>> Writer writer = new StringWriter(); >>>> renderContentAsText(dispatcher, delegator, contentId, writer, >>>> templateContext, locale, mimeTypeId, null, null, cache); >>>> - return writer.toString(); >>>> + String rendered = writer.toString(); >>>> + // According to >>>> >>>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary >>>> + // Normally head should be protected by X-XSS-Protection >>>> Response >>>> Header by default >>>> + if >>>> >>>> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties", >>>> "content.sanitize", "true", delegator) >>>> + && (rendered.contains("<script>") >>>> + || rendered.contains("<!--") >>>> + || rendered.contains("<div") >>>> + || rendered.contains("<style>") >>>> + || rendered.contains("<span") >>>> + || rendered.contains("<input") >>>> + || rendered.contains("<input") >>>> + || rendered.contains("<iframe") >>>> + || rendered.contains("<a"))) { >>>> + PolicyFactory sanitizer = >>>> >>>> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES); >>>> + rendered = sanitizer.sanitize(rendered); >>>> + } >>>> + return rendered; >>>> } >>>> >>>> public static String renderContentAsText(LocalDispatcher >>>> dispatcher, >>>> Delegator delegator, String contentId, Appendable out, >>>> >>>> Modified: >>>> >>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff >>>> >>>> >>>> ============================================================================== >>>> --- >>>> >>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>>> (original) >>>> +++ >>>> >>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml >>>> Tue Oct 13 00:45:31 2015 >>>> @@ -78,7 +78,7 @@ under the License. >>>> <p> >>>> This is a site to demonstrate the CMS capabilities of >>>> OFBiz. Its basic function is the editing of website text >>>> inside a browser. If you want to edit the text you are >>>> reading now, logon to the backend system, select the content component >>>> - click on 'cmssite' in the website list and ten click on >>>> the >>>> 'cms' button. There you see on the left hand side the tree of this >>>> website. >>>> + click on 'cmssite' in the website list and then click on >>>> the 'cms' button. There you see on the left hand side the tree of this >>>> website. >>>> If you click on 'homepage' then you can edit the >>>> content of >>>> this page at the box in the r >>>> </p> >>>> <p> >>>> >>>> >>>> >>>> >> >> > |
Free forum by Nabble | Edit this page |