Re: svn commit: r1859877 - in /ofbiz/ofbiz-framework/trunk: applications/accounting/servicedef/ applications/content/servicedef/ applications/marketing/servicedef/ applications/order/servicedef/ applications/party/servicedef/ applications/product/servicede...

> Author: jleroux
> Date: Fri May 24 13:47:08 2019
> New Revision: 1859877
>
> URL: http://svn.apache.org/viewvc?rev=1859877&view=rev
> Log:
> Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe"
> (OFBIZ-5254)
>
> This was reopened after discussion at
> https://markmail.org/message/jnaitmwahjcjmdn5
>
> This is a new solution which follows the work done with and OFBIZ-10187
> Roughly said, it uses org.owasp.html.PolicyFactory and org.owasp.html.Sanitizers
>
> Thanks: Christoph Neuroth for report

> Hello Jacques,
>
> [hidden email] writes:
>
>> Author: jleroux
>> Date: Fri May 24 13:47:08 2019
>> New Revision: 1859877
>>
>> URL: http://svn.apache.org/viewvc?rev=1859877&view=rev
>> Log:
>> Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe"
>> (OFBIZ-5254)
>>
>> This was reopened after discussion at
>> https://markmail.org/message/jnaitmwahjcjmdn5
>>
>> This is a new solution which follows the work done with and OFBIZ-10187
>> Roughly said, it uses org.owasp.html.PolicyFactory and org.owasp.html.Sanitizers
>>
>> Thanks: Christoph Neuroth for report
> This commit breaks the “custrequesttests” test suite with a vanilla
> framework after ‘loadAll’. If the issue can not be solved tomorrow
> please revert.
>
> Thanks.
>

> Le 25/05/2019 à 08:54, Jacques Le Roux a écrit :
>> You mean when ran isolated, right?
>
> OK, got it, it's a framework only issue
>
> https://ci.apache.org/projects/ofbiz/logs/trunk/framework/html/
>
> Looking at it...
>
> Jacques

> Le 25/05/2019 à 09:07, Jacques Le Roux a écrit :
>> Le 25/05/2019 à 08:54, Jacques Le Roux a écrit :
>>> You mean when ran isolated, right?
>>
>> OK, got it, it's a framework only issue
>>
>> https://ci.apache.org/projects/ofbiz/logs/trunk/framework/html/
>>
>> Looking at it...
>>
>> Jacques
>
> This is due to the simple quote in
>
> subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}"/>
>
> in OrderTypeData.xml
>
> I have yet not idea why the CustomSafePolicy class (based on Slashdot policy) rejects it, seems weird to me.
>
> It's also (even more) weird that when the plugins data are loaded the issue does not exist

> Hello,
>
> Jacques Le Roux <[hidden email]> writes:
>
>> Le 25/05/2019 à 09:07, Jacques Le Roux a écrit :
>>> Le 25/05/2019 à 08:54, Jacques Le Roux a écrit :
>>>> You mean when ran isolated, right?
>>> OK, got it, it's a framework only issue
>>>
>>> https://ci.apache.org/projects/ofbiz/logs/trunk/framework/html/
>>>
>>> Looking at it...
>>>
>>> Jacques
>> This is due to the simple quote in
>>
>> subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}"/>
>>
>> in OrderTypeData.xml
>>
>> I have yet not idea why the CustomSafePolicy class (based on Slashdot policy) rejects it, seems weird to me.
>>
>> It's also (even more) weird that when the plugins data are loaded the issue does not exist
> Indeed this is weird, thanks for investigating!