OFBiz › OFBiz - Commits

svn commit: r1720100 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1720100 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

Author: jleroux
Date: Tue Dec 15 09:30:30 2015
New Revision: 1720100

URL: http://svn.apache.org/viewvc?rev=1720100&view=rev
Log:
A patch from Supachai Chaima-ngua for <<The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties.>> https://issues.apache.org/jira/browse/OFBIZ-6769

An error is displayed on Accounting reports for Cash transactions:The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties. If electronic text contains javascript, the renderContentAsText method will remove some content.

jleroux: of course you would allow script in your permissive policy at your own risk...

Modified:
ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1720100&r1=1720099&r2=1720100&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java Tue Dec 15 09:30:30 2015
@@ -39,6 +39,7 @@ import org.ofbiz.base.util.UtilCodec;
import org.ofbiz.base.util.UtilDateTime;
import org.ofbiz.base.util.UtilGenerics;
import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.base.util.string.FlexibleStringExpander;
import org.ofbiz.content.ContentManagementWorker;
@@ -337,7 +338,7 @@ public class ContentWorker implements or
renderContentAsText(dispatcher, delegator, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache);
String rendered = writer.toString();
// According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
- // Normally head should be protected by X-XSS-Protection Response Header by default
+ // Normally head should be protected by X-XSS-Protection Response Header by default (not Firefox)
if ((rendered.contains("<script>")
|| rendered.contains("<!--")
|| rendered.contains("<div")
@@ -346,7 +347,8 @@ public class ContentWorker implements or
|| rendered.contains("<input")
|| rendered.contains("<input")
|| rendered.contains("<iframe")
- || rendered.contains("<a"))) {
+ || rendered.contains("<a"))
+ && !UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.permissive.policy", false)) {
rendered = encoder.sanitize(rendered);
}
return rendered;