[ofbiz-framework] branch release17.12 updated: Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 540f5c8  Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)
540f5c8 is described below

commit 540f5c80cd07c470712d8081a827e30a1c520554
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Dec 19 17:59:02 2020 +0100

    Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096)
   
    Prevents issues with integration tests
   
    Conflicts handled by hand:
    framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
---
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index aa5f762..1aabe28 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -452,8 +452,8 @@ public class UtilCodec {
         }
 
         if (value != null) {
-            String filtered = StringEscapeUtils.unescapeEcmaScript(policy.sanitize(value));
-            if (filtered != null && !value.equals(StringEscapeUtils.unescapeHtml4(filtered))) {
+            String filtered = policy.sanitize(value);
+            if (filtered != null && !value.equals(StringEscapeUtils.unescapeEcmaScript(StringEscapeUtils.unescapeHtml4(filtered)))) {
                 String issueMsg = null;
                 if (locale.equals(new Locale("test"))) {
                     issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted "