OFBiz OFBiz - Commits

svn commit: r1859871 - /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1859871 - /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java

jleroux@apache.org
Author: jleroux
Date: Fri May 24 13:24:31 2019
New Revision: 1859871

URL: http://svn.apache.org/viewvc?rev=1859871&view=rev
Log:
Fixed: OWASP sanitizer breaks proper rendering of HTML code
(OFBIZ-10187)

After a discussion with Dennis, I checked and the pattern ONSITE_URL would be
useless without

.allowAttributes("background").matching(ONSITE_URL)
.onElements("table")
.allowAttributes("background").matching(ONSITE_URL)
.onElements("td", "th", "tr")

So here they are

Thanks: Dennis Balkir for discussion

Modified:
    ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java?rev=1859871&r1=1859870&r2=1859871&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java Fri May 24 13:24:31 2019
@@ -17,7 +17,7 @@ import com.google.common.base.Predicate;
  * has been subject to a few complex XSS attacks. Listings are allowed to
  * contain much more rich content than, say, Slashdot- so it's attack surface is
  * considerably larger. The following tags appear to be accepted by eBay (they
- * don't publish rules): {@code <a>},... </blockquote>
+ * don't publish rules): {@code <a>},...
  */
 public class CustomPermissivePolicy implements SanitizerCustomPolicy {
 
@@ -111,11 +111,15 @@ public class CustomPermissivePolicy impl
             .matching(NUMBER).onElements("table")
             .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
             .onElements("table")
+            .allowAttributes("background").matching(ONSITE_URL)
+            .onElements("table")
+            .allowAttributes("background").matching(ONSITE_URL)
+            .onElements("td", "th", "tr")
             .allowAttributes("align").matching(ALIGN)
             .onElements("table")
             .allowAttributes("noresize").matching(Pattern.compile("(?i)noresize"))
             .onElements("table")
-            .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
+            .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)            
             .onElements("td", "th")
             .allowAttributes("abbr").matching(PARAGRAPH)
             .onElements("td", "th")


Free forum by Nabble Edit this page