OFBiz › OFBiz - Commits

[ofbiz-framework] branch release17.12 updated: Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release17.12 updated: Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release17.12 by this push:
new 6c3f5ad Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)
6c3f5ad is described below

commit 6c3f5ad3f5b3539051523e0739968b5930ee1468
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Thu Nov 7 15:46:05 2019 +0100

Fixed: Getting policy error while editing html text data using cms
(OFBIZ-11265)

Service parameter with allow-html="safe" does not check the OWASP sanitizer flag
ie. enabled or not and perform sanitization which causing policy error while
editing text data

getting following exception error:
"In field [textData] by our input policy, your input has not been accepted for
security reason. Please check and modify accordingly, thanks."

Thanks: Pradeep Choudhary for report and suggestion
(cherry picked from commit 8aea160e04c5d53bebd0371df044af5886f97c8e)
---
applications/content/servicedef/services_content.xml | 2 +-
.../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 5 ++++-
.../src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java | 2 +-
.../service/src/main/java/org/apache/ofbiz/service/ModelService.java | 5 ++++-
4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/applications/content/servicedef/services_content.xml b/applications/content/servicedef/services_content.xml
index 75dbad1..528c585 100644
--- a/applications/content/servicedef/services_content.xml
+++ b/applications/content/servicedef/services_content.xml
@@ -148,7 +148,7 @@

<service name="updateTextContent" engine="group" auth="true">
<description>Updates a Text Document DataResource and Content Records</description>
- 
+ 
<group>
<invoke name="updateDataText" result-to-context="true"/>
<invoke name="updateContent" result-to-context="true"/>
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 2ded380..a65237c 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -434,7 +434,10 @@ public class UtilCodec {
* @param locale
*/
public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList,
- Locale locale) {
+ Locale locale, boolean enableSanitizer) {
+ if (!enableSanitizer) {
+ return value;
+ }
PolicyFactory policy = null;
try {
Class<?> customPolicyClass = null;
diff --git a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
index 4eea54f..27164b9 100644
--- a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
+++ b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
@@ -88,7 +88,7 @@ public class UtilCodecTests {
public void testCheckStringForHtmlSafe() {
String xssVector = "<script>alert('XSS vector');</script>";
List<String> errorList = new ArrayList<>();
- String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList, new Locale("test"));
+ String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,new Locale("test"), true);
assertEquals("<script>alert('XSS vector');</script>", canonicalizedXssVector);
assertEquals(1, errorList.size());
assertEquals("In field [fieldName] by our input policy, your input has not been accepted for security reason. "
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
index c1a77ef..dff4a04 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
@@ -68,6 +68,7 @@ import org.apache.ofbiz.base.util.UtilCodec;
import org.apache.ofbiz.base.util.UtilMisc;
import org.apache.ofbiz.base.util.UtilProperties;
import org.apache.ofbiz.base.util.UtilValidate;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.ofbiz.service.group.GroupModel;
import org.apache.ofbiz.service.group.GroupServiceModel;
import org.apache.ofbiz.service.group.ServiceGroupReader;
@@ -611,7 +612,9 @@ public class ModelService extends AbstractMap<String, Object> implements Seriali
if ("none".equals(modelParam.allowHtml)) {
UtilCodec.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList, (Locale) context.get("locale"));
} else if ("safe".equals(modelParam.allowHtml)) {
- UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList, (Locale) context.get("locale"));
+ UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList,
+ (Locale) context.get("locale"),
+ EntityUtilProperties.getPropertyAsBoolean("owasp", "sanitizer.enable", true));
}
}
}