OFBiz › OFBiz - Commits

[ofbiz-framework] branch trunk updated: Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch trunk updated: Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/trunk by this push:
new 8aea160 Fixed: Getting policy error while editing html text data using cms (OFBIZ-11265)
8aea160 is described below

commit 8aea160e04c5d53bebd0371df044af5886f97c8e
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Thu Nov 7 15:46:05 2019 +0100

Fixed: Getting policy error while editing html text data using cms
(OFBIZ-11265)

Service parameter with allow-html="safe" does not check the OWASP sanitizer flag
ie. enabled or not and perform sanitization which causing policy error while
editing text data

getting following exception error:
"In field [textData] by our input policy, your input has not been accepted for
security reason. Please check and modify accordingly, thanks."

Thanks: Pradeep Choudhary for report and suggestion
---
applications/content/servicedef/services_content.xml | 2 +-
.../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 5 ++++-
.../src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java | 3 +--
.../service/src/main/java/org/apache/ofbiz/service/ModelService.java | 5 ++++-
4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/applications/content/servicedef/services_content.xml b/applications/content/servicedef/services_content.xml
index d38165b..237cd1c 100644
--- a/applications/content/servicedef/services_content.xml
+++ b/applications/content/servicedef/services_content.xml
@@ -138,7 +138,7 @@

<service name="updateTextContent" engine="group" auth="true">
<description>Updates a Text Document DataResource and Content Records</description>
- 
+ 
<group>
<invoke name="updateDataText" result-to-context="true"/>
<invoke name="updateContent" result-to-context="true"/>
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index ceee496..7e57fce 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -459,7 +459,10 @@ public class UtilCodec {
* @param locale
*/
public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList,
- Locale locale) {
+ Locale locale, boolean enableSanitizer) {
+ if (!enableSanitizer) {
+ return value;
+ }
PolicyFactory policy = null;
try {
Class<?> customPolicyClass = null;
diff --git a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
index 3f95014..06c366d 100644
--- a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
+++ b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
@@ -99,8 +99,7 @@ public class UtilCodecTests {
public void testCheckStringForHtmlSafe() {
String xssVector = "<script>alert('XSS vector');</script>";
List<String> errorList = new ArrayList<>();
- String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,
- new Locale("test"));
+ String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,new Locale("test"), true);
assertEquals("<script>alert('XSS vector');</script>", canonicalizedXssVector);
assertEquals(1, errorList.size());
assertEquals("In field [fieldName] by our input policy, your input has not been accepted for security reason. "
diff --git a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
index 4c306b5..b44c07f 100644
--- a/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
+++ b/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java
@@ -69,6 +69,7 @@ import org.apache.ofbiz.base.util.UtilCodec;
import org.apache.ofbiz.base.util.UtilMisc;
import org.apache.ofbiz.base.util.UtilProperties;
import org.apache.ofbiz.base.util.UtilValidate;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.ofbiz.service.group.GroupModel;
import org.apache.ofbiz.service.group.GroupServiceModel;
import org.apache.ofbiz.service.group.ServiceGroupReader;
@@ -613,7 +614,9 @@ public class ModelService extends AbstractMap<String, Object> implements Seriali
if ("none".equals(modelParam.allowHtml)) {
UtilCodec.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList, (Locale) context.get("locale"));
} else if ("safe".equals(modelParam.allowHtml)) {
- UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList, (Locale) context.get("locale"));
+ UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList,
+ (Locale) context.get("locale"),
+ EntityUtilProperties.getPropertyAsBoolean("owasp", "sanitizer.enable", true));
}
}
}