OFBiz › OFBiz - Commits

svn commit: r1720147 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1720147 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

Author: jleroux
Date: Tue Dec 15 12:45:25 2015
New Revision: 1720147

URL: http://svn.apache.org/viewvc?rev=1720147&view=rev
Log:
Reverts r1720100 as explained at OFBIZ-6769

Modified:
ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1720147&r1=1720146&r2=1720147&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java Tue Dec 15 12:45:25 2015
@@ -39,7 +39,6 @@ import org.ofbiz.base.util.UtilCodec;
import org.ofbiz.base.util.UtilDateTime;
import org.ofbiz.base.util.UtilGenerics;
import org.ofbiz.base.util.UtilMisc;
-import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.base.util.string.FlexibleStringExpander;
import org.ofbiz.content.ContentManagementWorker;
@@ -338,7 +337,7 @@ public class ContentWorker implements or
renderContentAsText(dispatcher, delegator, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache);
String rendered = writer.toString();
// According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
- // Normally head should be protected by X-XSS-Protection Response Header by default (not Firefox)
+ // Normally head should be protected by X-XSS-Protection Response Header by default
if ((rendered.contains("<script>")
|| rendered.contains("<!--")
|| rendered.contains("<div")
@@ -347,8 +346,7 @@ public class ContentWorker implements or
|| rendered.contains("<input")
|| rendered.contains("<input")
|| rendered.contains("<iframe")
- || rendered.contains("<a"))
- && !UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.permissive.policy", false)) {
+ || rendered.contains("<a"))) {
rendered = encoder.sanitize(rendered);
}
return rendered;