OFBiz OFBiz - User

html validation errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
SkipDever
Reply | Threaded
Open this post in threaded view
|

html validation errors

SkipDever
I am getting validation errors on System.err that look like this:

Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML input:
context=content, errors=[The <b>html</b> tag has been filtered for  security
reasons.
The contents of the tag will remain in place., The <b>head</b> tag has been
filtered for security reasons. The contents of the tag will remain in
place., The <b>meta</b> tag has been filtered for security reasons. The
contents of the tag will remain in place., The <b>title</b> tag has been
filtered for security reasons. The contents of the tag will remain in
place., The <b>style</b> tag has been filtered for security reasons. The
contents of the tag will remain in place., The <b>body</b> tag has been
filtered for security reasons. The contents of the tag
 will remain in place., The <b>h1</b> tag has been filtered for security
reasons. The contents of the tag will remain in place., The <b>h1</b> tag
has been filtered for security reasons. The contents of the tag will remain
in place.]

I would like to track down where this is coming from, but there is no
information in the logs.

Can anyone provide a clue?

Skip

Adrian Crum-3
Reply | Threaded
Open this post in threaded view
|

Re: html validation errors

Adrian Crum-3
Most likely that is coming from OWASP/ESAPI.

Adrian Crum
Sandglass Software
www.sandglass-software.com

On 10/21/2013 10:49 AM, Skip wrote:

> I am getting validation errors on System.err that look like this:
>
> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML input:
> context=content, errors=[The <b>html</b> tag has been filtered for  security
> reasons.
> The contents of the tag will remain in place., The <b>head</b> tag has been
> filtered for security reasons. The contents of the tag will remain in
> place., The <b>meta</b> tag has been filtered for security reasons. The
> contents of the tag will remain in place., The <b>title</b> tag has been
> filtered for security reasons. The contents of the tag will remain in
> place., The <b>style</b> tag has been filtered for security reasons. The
> contents of the tag will remain in place., The <b>body</b> tag has been
> filtered for security reasons. The contents of the tag
>   will remain in place., The <b>h1</b> tag has been filtered for security
> reasons. The contents of the tag will remain in place., The <b>h1</b> tag
> has been filtered for security reasons. The contents of the tag will remain
> in place.]
>
> I would like to track down where this is coming from, but there is no
> information in the logs.
>
> Can anyone provide a clue?
>
> Skip
>
SkipDever
Reply | Threaded
Open this post in threaded view
|

RE: html validation errors

SkipDever
That was obvious to me because of a line I left out of error message:

ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidSaf
eHTML(null:-1)

However, that puts me no closer to understanding where it is coming from
originally.  This function is called originally in ModelService .validate
and there is a line of code there that sez something like
if(errorMessageList.size() > 0) thow ...

There are no exceptions in the log and no user has reported one.  I am just
seeing this on the console screen.

So, how do I find out which service is causing this?

Skip

-----Original Message-----
From: Adrian Crum [mailto:[hidden email]]
Sent: Monday, October 21, 2013 11:13 AM
To: [hidden email]
Subject: Re: html validation errors


Most likely that is coming from OWASP/ESAPI.

Adrian Crum
Sandglass Software
www.sandglass-software.com

On 10/21/2013 10:49 AM, Skip wrote:
> I am getting validation errors on System.err that look like this:
>
> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML input:
> context=content, errors=[The <b>html</b> tag has been filtered for
security
> reasons.
> The contents of the tag will remain in place., The <b>head</b> tag has
been

> filtered for security reasons. The contents of the tag will remain in
> place., The <b>meta</b> tag has been filtered for security reasons. The
> contents of the tag will remain in place., The <b>title</b> tag has been
> filtered for security reasons. The contents of the tag will remain in
> place., The <b>style</b> tag has been filtered for security reasons. The
> contents of the tag will remain in place., The <b>body</b> tag has been
> filtered for security reasons. The contents of the tag
>   will remain in place., The <b>h1</b> tag has been filtered for security
> reasons. The contents of the tag will remain in place., The <b>h1</b> tag
> has been filtered for security reasons. The contents of the tag will
remain
> in place.]
>
> I would like to track down where this is coming from, but there is no
> information in the logs.
>
> Can anyone provide a clue?
>
> Skip
>

Ruth Hoffman-2
Reply | Threaded
Open this post in threaded view
|

Re: html validation errors

Ruth Hoffman-2
Hi Skip:
For what it is worth, I had the same issue and I couldn't for the life
of me figure out why I was see these messages. I also would be
interested in knowing where (and why) this message is being thrown since
if you read the message content, there doesn't seem to be anything
"invalid" about the HTML.

FYI - To get rid of this annoying message, I ended up setting the the
ESAPI.properties file entry:

LogLevel=ERROR

So at least the error messages were not being displayed.

Hope that helps.
Ruth Hoffman

> That was obvious to me because of a line I left out of error message:
>
> ValidationException @ org.owasp.esapi.reference.DefaultValidator.getValidSaf
> eHTML(null:-1)
>
> However, that puts me no closer to understanding where it is coming from
> originally.  This function is called originally in ModelService .validate
> and there is a line of code there that sez something like
> if(errorMessageList.size() > 0) thow ...
>
> There are no exceptions in the log and no user has reported one.  I am just
> seeing this on the console screen.
>
> So, how do I find out which service is causing this?
>
> Skip
>
> -----Original Message-----
> From: Adrian Crum [mailto:[hidden email]]
> Sent: Monday, October 21, 2013 11:13 AM
> To: [hidden email]
> Subject: Re: html validation errors
>
>
> Most likely that is coming from OWASP/ESAPI.
>
> Adrian Crum
> Sandglass Software
> www.sandglass-software.com
>
> On 10/21/2013 10:49 AM, Skip wrote:
>> I am getting validation errors on System.err that look like this:
>>
>> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML input:
>> context=content, errors=[The <b>html</b> tag has been filtered for
> security
>> reasons.
>> The contents of the tag will remain in place., The <b>head</b> tag has
> been
>> filtered for security reasons. The contents of the tag will remain in
>> place., The <b>meta</b> tag has been filtered for security reasons. The
>> contents of the tag will remain in place., The <b>title</b> tag has been
>> filtered for security reasons. The contents of the tag will remain in
>> place., The <b>style</b> tag has been filtered for security reasons. The
>> contents of the tag will remain in place., The <b>body</b> tag has been
>> filtered for security reasons. The contents of the tag
>>    will remain in place., The <b>h1</b> tag has been filtered for security
>> reasons. The contents of the tag will remain in place., The <b>h1</b> tag
>> has been filtered for security reasons. The contents of the tag will
> remain
>> in place.]
>>
>> I would like to track down where this is coming from, but there is no
>> information in the logs.
>>
>> Can anyone provide a clue?
>>
>> Skip
>>
>

Pierre Smits
Reply | Threaded
Open this post in threaded view
|

Re: html validation errors

Pierre Smits
Hi Ruth,

Thanks for giving the heads-up regarding the loglevel in the
esapi.properties file.

Regards,

Pierre Smits

*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com


On Mon, Oct 21, 2013 at 11:07 PM, Ruth Hoffman <[hidden email]>wrote:

> Hi Skip:
> For what it is worth, I had the same issue and I couldn't for the life of
> me figure out why I was see these messages. I also would be interested in
> knowing where (and why) this message is being thrown since if you read the
> message content, there doesn't seem to be anything "invalid" about the HTML.
>
> FYI - To get rid of this annoying message, I ended up setting the the
> ESAPI.properties file entry:
>
> LogLevel=ERROR
>
> So at least the error messages were not being displayed.
>
> Hope that helps.
> Ruth Hoffman
>
>  That was obvious to me because of a line I left out of error message:
>>
>> ValidationException @ org.owasp.esapi.reference.**
>> DefaultValidator.getValidSaf
>> eHTML(null:-1)
>>
>> However, that puts me no closer to understanding where it is coming from
>> originally.  This function is called originally in ModelService .validate
>> and there is a line of code there that sez something like
>> if(errorMessageList.size() > 0) thow ...
>>
>> There are no exceptions in the log and no user has reported one.  I am
>> just
>> seeing this on the console screen.
>>
>> So, how do I find out which service is causing this?
>>
>> Skip
>>
>> -----Original Message-----
>> From: Adrian Crum [mailto:adrian.crum@sandglass-**software.com<[hidden email]>
>> ]
>> Sent: Monday, October 21, 2013 11:13 AM
>> To: [hidden email]
>> Subject: Re: html validation errors
>>
>>
>> Most likely that is coming from OWASP/ESAPI.
>>
>> Adrian Crum
>> Sandglass Software
>> www.sandglass-software.com
>>
>> On 10/21/2013 10:49 AM, Skip wrote:
>>
>>> I am getting validation errors on System.err that look like this:
>>>
>>> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
>>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML
>>> input:
>>> context=content, errors=[The <b>html</b> tag has been filtered for
>>>
>> security
>>
>>> reasons.
>>> The contents of the tag will remain in place., The <b>head</b> tag has
>>>
>> been
>>
>>> filtered for security reasons. The contents of the tag will remain in
>>> place., The <b>meta</b> tag has been filtered for security reasons. The
>>> contents of the tag will remain in place., The <b>title</b> tag has been
>>> filtered for security reasons. The contents of the tag will remain in
>>> place., The <b>style</b> tag has been filtered for security reasons. The
>>> contents of the tag will remain in place., The <b>body</b> tag has been
>>> filtered for security reasons. The contents of the tag
>>>    will remain in place., The <b>h1</b> tag has been filtered for
>>> security
>>> reasons. The contents of the tag will remain in place., The <b>h1</b> tag
>>> has been filtered for security reasons. The contents of the tag will
>>>
>> remain
>>
>>> in place.]
>>>
>>> I would like to track down where this is coming from, but there is no
>>> information in the logs.
>>>
>>> Can anyone provide a clue?
>>>
>>> Skip
>>>
>>>
>>
>
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: html validation errors

Jacques Le Roux
Administrator
This should answer you question and interest you https://issues.apache.org/jira/browse/OFBIZ-5254 (for patient persons only)

Now I will have to investigate why ESAPI in safe mode is throwing warnings.
It's certainly related with the codecs (HTMLEntityCodec and PercentCodec) we set (white list strategy), but I still don't understand why then warnings speak about html tags not being safe. I have to digg into codecs...

Jacques

Pierre Smits wrote:

> Hi Ruth,
>
> Thanks for giving the heads-up regarding the loglevel in the
> esapi.properties file.
>
> Regards,
>
> Pierre Smits
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
> Services & Solutions for Cloud-
> Based Manufacturing, Professional
> Services and Retail & Trade
> http://www.orrtiz.com
>
>
> On Mon, Oct 21, 2013 at 11:07 PM, Ruth Hoffman <[hidden email]>wrote:
>
>> Hi Skip:
>> For what it is worth, I had the same issue and I couldn't for the life of
>> me figure out why I was see these messages. I also would be interested in
>> knowing where (and why) this message is being thrown since if you read the
>> message content, there doesn't seem to be anything "invalid" about the HTML.
>>
>> FYI - To get rid of this annoying message, I ended up setting the the
>> ESAPI.properties file entry:
>>
>> LogLevel=ERROR
>>
>> So at least the error messages were not being displayed.
>>
>> Hope that helps.
>> Ruth Hoffman
>>
>>  That was obvious to me because of a line I left out of error message:
>>>
>>> ValidationException @ org.owasp.esapi.reference.**
>>> DefaultValidator.getValidSaf
>>> eHTML(null:-1)
>>>
>>> However, that puts me no closer to understanding where it is coming from
>>> originally.  This function is called originally in ModelService .validate
>>> and there is a line of code there that sez something like
>>> if(errorMessageList.size() > 0) thow ...
>>>
>>> There are no exceptions in the log and no user has reported one.  I am
>>> just
>>> seeing this on the console screen.
>>>
>>> So, how do I find out which service is causing this?
>>>
>>> Skip
>>>
>>> -----Original Message-----
>>> From: Adrian Crum [mailto:adrian.crum@sandglass-**software.com<[hidden email]>
>>> ]
>>> Sent: Monday, October 21, 2013 11:13 AM
>>> To: [hidden email]
>>> Subject: Re: html validation errors
>>>
>>>
>>> Most likely that is coming from OWASP/ESAPI.
>>>
>>> Adrian Crum
>>> Sandglass Software
>>> www.sandglass-software.com
>>>
>>> On 10/21/2013 10:49 AM, Skip wrote:
>>>
>>>> I am getting validation errors on System.err that look like this:
>>>>
>>>> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector
>>>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML
>>>> input:
>>>> context=content, errors=[The <b>html</b> tag has been filtered for
>>>>
>>> security
>>>
>>>> reasons.
>>>> The contents of the tag will remain in place., The <b>head</b> tag has
>>>>
>>> been
>>>
>>>> filtered for security reasons. The contents of the tag will remain in
>>>> place., The <b>meta</b> tag has been filtered for security reasons. The
>>>> contents of the tag will remain in place., The <b>title</b> tag has been
>>>> filtered for security reasons. The contents of the tag will remain in
>>>> place., The <b>style</b> tag has been filtered for security reasons. The
>>>> contents of the tag will remain in place., The <b>body</b> tag has been
>>>> filtered for security reasons. The contents of the tag
>>>>    will remain in place., The <b>h1</b> tag has been filtered for
>>>> security
>>>> reasons. The contents of the tag will remain in place., The <b>h1</b> tag
>>>> has been filtered for security reasons. The contents of the tag will
>>>>
>>> remain
>>>
>>>> in place.]
>>>>
>>>> I would like to track down where this is coming from, but there is no
>>>> information in the logs.
>>>>
>>>> Can anyone provide a clue?
>>>>
>>>> Skip
Free forum by Nabble Edit this page