[
https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17359183#comment-17359183 ]
Jacques Le Roux commented on OFBIZ-12249:
-----------------------------------------
Hi Wang,
It was much fun to work on that :)
[^OFBIZ-12249.patch] is my best answer:
!Image 006.png!
I'm not sure my solution is complete. On the other hand, as I said:
bq. Ah, forgot to say that using html="safe" for is not a solution in case of textarea. I tried with internalNote in createWorkEffortNote and updateWorkEffortNote services.
So to answer to your point:
bq. If we do output encoding completely, any text can be accepted, so my point is that we should accept any text user submitted for free-form text input widgets, and encode that properly before html rendering.
this is what UtilCodec::checkStringForHtmlSafe does. It's obviously incomplete to treat special chars in URLs. I guess I could rather add the change in [^OFBIZ-12249.patch] in UtilCodec::checkStringForHtmlSafe. But I prefer to have them even when no safety is required. You might want to have a look at owasp.properties and create your own policy...
For now, if it's OK with you, I suggest that we push these changes in the meantime.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
