This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 1c27d21 Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265) 1c27d21 is described below commit 1c27d212604d2bcbab026c1e68de68cd74002193 Author: Jacques Le Roux <[hidden email]> AuthorDate: Thu Nov 7 15:46:05 2019 +0100 Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265) Service parameter with allow-html="safe" does not check the OWASP sanitizer flag ie. enabled or not and perform sanitization which causing policy error while editing text data getting following exception error: "In field [textData] by our input policy, your input has not been accepted for security reason. Please check and modify accordingly, thanks." Thanks: Pradeep Choudhary for report and suggestion (cherry picked from commit 8aea160e04c5d53bebd0371df044af5886f97c8e) --- applications/content/servicedef/services_content.xml | 2 +- .../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 5 ++++- .../src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java | 2 +- .../service/src/main/java/org/apache/ofbiz/service/ModelService.java | 5 ++++- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/applications/content/servicedef/services_content.xml b/applications/content/servicedef/services_content.xml index d38165b..237cd1c 100644 --- a/applications/content/servicedef/services_content.xml +++ b/applications/content/servicedef/services_content.xml @@ -138,7 +138,7 @@ <service name="updateTextContent" engine="group" auth="true"> <description>Updates a Text Document DataResource and Content Records</description> - <!-- uses updateContent internally; additonal permission(s) not necessary --> + <!-- uses updateContent internally; additional permission(s) not necessary --> <group> <invoke name="updateDataText" result-to-context="true"/> <invoke name="updateContent" result-to-context="true"/> diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java index 64e8329..0702bb8 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java @@ -439,7 +439,10 @@ public class UtilCodec { * @param locale */ public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList, - Locale locale) { + Locale locale, boolean enableSanitizer) { + if (!enableSanitizer) { + return value; + } PolicyFactory policy = null; try { Class<?> customPolicyClass = null; diff --git a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java index 4eea54f..27164b9 100644 --- a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java +++ b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java @@ -88,7 +88,7 @@ public class UtilCodecTests { public void testCheckStringForHtmlSafe() { String xssVector = "<script>alert('XSS vector');</script>"; List<String> errorList = new ArrayList<>(); - String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList, new Locale("test")); + String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,new Locale("test"), true); assertEquals("<script>alert('XSS vector');</script>", canonicalizedXssVector); assertEquals(1, errorList.size()); assertEquals("In field [fieldName] by our input policy, your input has not been accepted for security reason. " diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java index 26e326f..d932bb2 100644 --- a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java +++ b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java @@ -68,6 +68,7 @@ import org.apache.ofbiz.base.util.UtilCodec; import org.apache.ofbiz.base.util.UtilMisc; import org.apache.ofbiz.base.util.UtilProperties; import org.apache.ofbiz.base.util.UtilValidate; +import org.apache.ofbiz.entity.util.EntityUtilProperties; import org.apache.ofbiz.service.group.GroupModel; import org.apache.ofbiz.service.group.GroupServiceModel; import org.apache.ofbiz.service.group.ServiceGroupReader; @@ -611,7 +612,9 @@ public class ModelService extends AbstractMap<String, Object> implements Seriali if ("none".equals(modelParam.allowHtml)) { UtilCodec.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList, (Locale) context.get("locale")); } else if ("safe".equals(modelParam.allowHtml)) { - UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList, (Locale) context.get("locale")); + UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList, + (Locale) context.get("locale"), + EntityUtilProperties.getPropertyAsBoolean("owasp", "sanitizer.enable", true)); } } } |
Free forum by Nabble | Edit this page |