Author: jleroux
Date: Fri May 24 13:47:08 2019 New Revision: 1859877 URL: http://svn.apache.org/viewvc?rev=1859877&view=rev Log: Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe" (OFBIZ-5254) This was reopened after discussion at https://markmail.org/message/jnaitmwahjcjmdn5 This is a new solution which follows the work done with and OFBIZ-10187 Roughly said, it uses org.owasp.html.PolicyFactory and org.owasp.html.Sanitizers Thanks: Christoph Neuroth for report Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java (with props) Modified: ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_agreement.xml ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_invoice.xml ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services.xml ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_content.xml ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_data.xml ofbiz/ofbiz-framework/trunk/applications/marketing/servicedef/services_opportunity.xml ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services.xml ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_quote.xml ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_request.xml ofbiz/ofbiz-framework/trunk/applications/party/servicedef/services.xml ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services.xml ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services_pricepromo.xml ofbiz/ofbiz-framework/trunk/applications/workeffort/servicedef/services.xml ofbiz/ofbiz-framework/trunk/framework/base/config/owasp.properties ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java ofbiz/ofbiz-framework/trunk/framework/common/config/SecurityUiLabels.xml ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services_email.xml ofbiz/ofbiz-framework/trunk/framework/service/dtd/services.xsd ofbiz/ofbiz-framework/trunk/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java Modified: ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_agreement.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_agreement.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_agreement.xml Fri May 24 13:47:08 2019 @@ -29,14 +29,14 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes include="pk" mode="OUT" optional="true"/> - <override name="textData" allow-html="any"/> + <override name="textData" allow-html="safe"/> </service> <service name="updateAgreement" default-entity-name="Agreement" engine="entity-auto" invoke="update" auth="true"> <description>Update an Agreement</description> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textData" allow-html="any"/> + <override name="textData" allow-html="safe"/> </service> <service name="expireAgreement" engine="entity-auto" default-entity-name="Agreement" invoke="expire" auth="true"> <description>Expire an Agreement</description> @@ -60,7 +60,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="agreementText" allow-html="any"/> + <override name="agreementText" allow-html="safe"/> <override name="agreementItemSeqId" optional="true"></override> </service> <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="entity-auto" invoke="update" auth="true"> @@ -68,7 +68,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="agreementText" allow-html="any"/> + <override name="agreementText" allow-html="safe"/> </service> <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="entity-auto" invoke="delete" auth="true"> <description>Remove an AgreementItem</description> @@ -102,14 +102,14 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="pk" mode="INOUT" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textValue" allow-html="any"/> + <override name="textValue" allow-html="safe"/> </service> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="entity-auto" invoke="update" auth="true"> <description>Update an AgreementTerm</description> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textValue" allow-html="any"/> + <override name="textValue" allow-html="safe"/> </service> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="entity-auto" invoke="delete" auth="true"> <description>Delete an AgreementTerm</description> Modified: ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_invoice.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_invoice.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/accounting/servicedef/services_invoice.xml Fri May 24 13:47:08 2019 @@ -56,8 +56,8 @@ under the License. <override name="invoiceTypeId" mode="IN" optional="false"/> <override name="partyIdFrom" mode = "IN" optional="false"/> <override name="partyId" mode = "IN" optional="false"/> - <override name="description" allow-html="any"/> - <override name="invoiceMessage" allow-html="any"/> + <override name="description" allow-html="safe"/> + <override name="invoiceMessage" allow-html="safe"/> </service> <service name="copyInvoice" engine="simple" default-entity-name="Invoice" location="component://accounting/minilang/invoice/InvoiceServices.xml" invoke="copyInvoice"> @@ -80,8 +80,8 @@ under the License. <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> <auto-attributes mode="IN" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> - <override name="description" allow-html="any"/> - <override name="invoiceMessage" allow-html="any"/> + <override name="description" allow-html="safe"/> + <override name="invoiceMessage" allow-html="safe"/> </service> <service name="setInvoiceStatus" engine="simple" location="component://accounting/minilang/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> @@ -117,7 +117,7 @@ under the License. <auto-attributes mode="IN" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> - <override name="description" allow-html="any"/> + <override name="description" allow-html="safe"/> </service> <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" location="component://accounting/minilang/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> @@ -125,7 +125,7 @@ under the License. <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> <auto-attributes mode="INOUT" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> - <override name="description" allow-html="any"/> + <override name="description" allow-html="safe"/> </service> <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" location="component://accounting/minilang/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> @@ -429,7 +429,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -439,7 +439,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="isInvoiceInForeignCurrency" engine="simple" location="component://accounting/minilang/invoice/InvoiceServices.xml" invoke="isInvoiceInForeignCurrency" auth="true"> Modified: ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -189,7 +189,7 @@ <service name="createSimpleTextContent" engine="simple" location="component://content/minilang/content/ContentServices.xml" invoke="createSimpleTextContent"> <permission-service service-name="contentManagerPermission" main-action="CREATE"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"> <type-validate> <fail-property resource="ContentErrorUiLabels" property="ContentRequiredFieldMissingText"/> </type-validate> @@ -199,7 +199,7 @@ <service name="updateSimpleTextContent" engine="simple" location="component://content/minilang/content/ContentServices.xml" invoke="updateSimpleTextContent"> <permission-service service-name="contentManagerPermission" main-action="UPDATE"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <!-- Util --> @@ -367,7 +367,7 @@ <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> - <override name="textData" allow-html="any"/> + <override name="textData" allow-html="safe"/> </service> <service name="persistDataResourceAndData" engine="java" @@ -1097,8 +1097,8 @@ <attribute name="statusId" type="String" mode="IN" optional="true"/> <attribute name="description" type="String" mode="IN" optional="true"/> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="none"/> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="none"/> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="updateBlogEntry" engine="simple" auth="true" location="component://content/minilang/blog/BlogServices.xml" invoke="updateBlogEntry"> @@ -1121,8 +1121,8 @@ <attribute name="statusId" type="String" mode="IN" optional="true"/> <attribute name="description" type="String" mode="IN" optional="true"/> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="none"/> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="none"/> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="getBlogEntry" engine="simple" auth="true" location="component://content/minilang/blog/BlogServices.xml" invoke="getBlogEntry"> Modified: ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_content.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_content.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_content.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_content.xml Fri May 24 13:47:08 2019 @@ -39,8 +39,8 @@ <!-- end of deprecated fields --> <override name="contentTypeId" default-value="DOCUMENT"/> <override name="statusId" default-value="CTNT_IN_PROGRESS"/> - <override name="contentName" allow-html="any"/> - <override name="description" allow-html="any"/> + <override name="contentName" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="createTextAndUploadedContent" engine="simple" auth="true" @@ -131,9 +131,9 @@ <attribute mode="IN" name="skipPermissionCheck" optional="true" type="String"/> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> - <!-- end of depricated fields --> - <override name="contentName" allow-html="any"/> - <override name="description" allow-html="any"/> + <!-- end of deprecated fields --> + <override name="contentName" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="updateTextContent" engine="group" auth="true"> Modified: ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_data.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_data.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_data.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/content/servicedef/services_data.xml Fri May 24 13:47:08 2019 @@ -37,8 +37,8 @@ <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> <attribute name="dataResource" type="org.apache.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> - <override name="objectInfo" allow-html="any"/> - <override name="dataResourceName" allow-html="any"/> + <override name="objectInfo" allow-html="safe"/> + <override name="dataResourceName" allow-html="safe"/> </service> <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" location="component://content/minilang/data/DataServices.xml" invoke="createDataResourceAndAssocToContent" auth="true"> @@ -61,8 +61,8 @@ <fail-property resource="ContentErrorUiLabels" property="ContentRequiredFieldMissingDataResourceId"/> </type-validate> </attribute> - <override name="objectInfo" allow-html="any"/> - <override name="dataResourceName" allow-html="any"/> + <override name="objectInfo" allow-html="safe"/> + <override name="dataResourceName" allow-html="safe"/> </service> <service name="removeDataResource" engine="entity-auto" default-entity-name="DataResource" auth="true" invoke="delete"> <description>Remove DataResource</description> @@ -91,7 +91,7 @@ <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> <auto-attributes include="pk" mode="INOUT" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> @@ -101,7 +101,7 @@ <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> @@ -115,7 +115,7 @@ <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> - <override name="textData" allow-html="any"/> + <override name="textData" allow-html="safe"/> </service> <service name="updateElectronicText" default-entity-name="ElectronicText" engine="entity-auto" invoke="update" auth="true"> <description>Update a ElectronicText</description> @@ -123,7 +123,7 @@ <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is belonging to --> - <override name="textData" allow-html="any"/> + <override name="textData" allow-html="safe"/> </service> <service name="createElectronicTextForm" default-entity-name="ElectronicText" engine="simple" location="component://content/minilang/data/DataServices.xml" invoke="createElectronicTextForm" auth="true"> Modified: ofbiz/ofbiz-framework/trunk/applications/marketing/servicedef/services_opportunity.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/marketing/servicedef/services_opportunity.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/marketing/servicedef/services_opportunity.xml Fri May 24 13:47:08 2019 @@ -72,9 +72,9 @@ under the License. <auto-attributes mode="IN" include="nonpk" optional="true"/> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> - <override name="opportunityName" allow-html="any"/> - <override name="description" allow-html="any"/> - <override name="nextStep" allow-html="any"/> + <override name="opportunityName" allow-html="safe"/> + <override name="description" allow-html="safe"/> + <override name="nextStep" allow-html="safe"/> </service> <service name="updateSalesOpportunity" default-entity-name="SalesOpportunity" engine="entity-auto" invoke="update"> <description>Update an sales opportunity</description> @@ -82,9 +82,9 @@ under the License. <auto-attributes mode="IN" include="nonpk" optional="true"/> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> - <override name="opportunityName" allow-html="any"/> - <override name="description" allow-html="any"/> - <override name="nextStep" allow-html="any"/> + <override name="opportunityName" allow-html="safe"/> + <override name="description" allow-html="safe"/> + <override name="nextStep" allow-html="safe"/> </service> <service name="createSalesOpportunityRole" default-entity-name="SalesOpportunityRole" engine="entity-auto" invoke="create"> <description>Create sales opportunity role</description> Modified: ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -440,7 +440,7 @@ under the License. location="org.apache.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> <description>Create a note item and associate with a order header</description> <attribute name="orderId" type="String" mode="IN"/> - <attribute name="note" type="String" mode="IN" allow-html="any"/> + <attribute name="note" type="String" mode="IN" allow-html="safe"/> <attribute name="internalNote" type="String" mode="IN"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> </service> Modified: ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_quote.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_quote.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_quote.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_quote.xml Fri May 24 13:47:08 2019 @@ -309,7 +309,7 @@ under the License. location="component://order/groovyScripts/quote/QuoteServices.groovy" invoke="createQuoteNote" auth="true"> <description>Create a note item and associate with a quote</description> <attribute name="quoteId" type="String" mode="IN"/> - <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> + <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> </service> Modified: ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_request.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_request.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_request.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/order/servicedef/services_request.xml Fri May 24 13:47:08 2019 @@ -42,9 +42,9 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> - <override name="custRequestName" allow-html="any"/> - <override name="description" allow-html="any"/> - <override name="story" allow-html="any"/> + <override name="custRequestName" allow-html="safe"/> + <override name="description" allow-html="safe"/> + <override name="story" allow-html="safe"/> </service> <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" location="component://order/minilang/request/CustRequestServices.xml" invoke="updateCustRequest" auth="true"> @@ -52,10 +52,10 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <attribute name="oldStatusId" type="String" mode="OUT"/> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> - <override name="custRequestName" allow-html="any"/> - <override name="description" allow-html="any"/> + <override name="custRequestName" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" @@ -86,16 +86,16 @@ under the License. <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="custRequestItemSeqId" optional="true"/> - <override name="story" allow-html="any"/> - <override name="description" allow-html="any"/> + <override name="story" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" location="component://order/minilang/request/CustRequestServices.xml" invoke="updateCustRequestItem" auth="true"> <description>Update a CustRequestItem record</description> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="story" allow-html="any"/> - <override name="description" allow-html="any"/> + <override name="story" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" location="component://order/minilang/request/CustRequestServices.xml" invoke="copyCustRequestItem" auth="true"> @@ -134,7 +134,7 @@ under the License. location="component://order/minilang/request/CustRequestServices.xml" invoke="createCustRequestNote" auth="true"> <description>Create a note for a CustRequest</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> <attribute name="noteId" type="String" mode="OUT" optional="false"/> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> @@ -143,7 +143,7 @@ under the License. location="component://order/minilang/request/CustRequestServices.xml" invoke="updateCustRequestNote" auth="true"> <description>Update CustRequest Note</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> <attribute name="noteInfo" type="String" mode="IN" optional="true"/> </service> <service name="createCustRequestItemNote" engine="simple" @@ -151,7 +151,7 @@ under the License. <description>Create a note for a CustRequestItem</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> - <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> <attribute name="noteId" type="String" mode="OUT" optional="false"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> @@ -183,7 +183,7 @@ under the License. <description>Set the Customer Request Status</description> <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> <attribute name="statusId" type="String" mode="IN" optional="false"/> - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> @@ -197,8 +197,8 @@ under the License. <attribute name="custRequestId" mode="IN" type="String" optional="true"/> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> <override name="content" allow-html="any"/> </service> Modified: ofbiz/ofbiz-framework/trunk/applications/party/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/party/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/party/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/party/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -114,7 +114,7 @@ under the License. <attribute name="externalId" type="String" mode="IN" optional="true"/> <attribute name="statusId" type="String" mode="IN" optional="true"/> <override name="groupName" optional="false"/> - <override name="comments" allow-html="any"/> + <override name="comments" allow-html="safe"/> </service> <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" location="org.apache.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> @@ -127,7 +127,7 @@ under the License. <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> <attribute name="externalId" type="String" mode="IN" optional="true"/> <attribute name="statusId" type="String" mode="IN" optional="true"/> - <override name="comments" allow-html="any"/> + <override name="comments" allow-html="safe"/> </service> <service name="savePartyNameChange" engine="simple" @@ -368,7 +368,7 @@ under the License. <description>create a company/contact relationship and add the related roles</description> <attribute name="accountPartyId" type="String" mode="IN"/> <attribute name="contactPartyId" type="String" mode="IN"/> - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <!-- ContactMech services --> @@ -780,7 +780,7 @@ under the License. <override name="headerString" allow-html="any"/> <override name="content" allow-html="any"/> <override name="messageId" allow-html="any"/> - <override name="subject" allow-html="any"/> + <override name="subject" allow-html="safe"/> </service> <service name="createCommunicationEvent" engine="simple" location="component://party/minilang/communication/CommunicationEventServices.xml" invoke="createCommunicationEventWithPermission" auth="true"> @@ -804,7 +804,7 @@ under the License. <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> <override name="messageId" allow-html="any"/> <override name="content" allow-html="any"/> - <override name="subject" allow-html="any"/> + <override name="subject" allow-html="safe"/> </service> <service name="deleteCommunicationEvent" engine="simple" location="component://party/minilang/communication/CommunicationEventServices.xml" invoke="deleteCommunicationEvent" auth="true"> Modified: ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -34,8 +34,8 @@ under the License. <exclude field-name="lastModifiedDate"/> <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> - <override name="description" allow-html="any"/> - <override name="longDescription" allow-html="any"/> + <override name="description" allow-html="safe"/> + <override name="longDescription" allow-html="safe"/> </service> <service name="createProduct" default-entity-name="Product" engine="simple" location="component://product/minilang/product/product/ProductServices.xml" invoke="createProduct" auth="true"> @@ -70,8 +70,8 @@ under the License. <attribute name="oldProductId" type="String" mode="IN" optional="false"/> <attribute name="newInternalName" type="String" mode="IN" optional="true"/> <attribute name="newProductName" type="String" mode="IN" optional="true"/> - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> @@ -387,7 +387,7 @@ under the License. <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="subject" type="String" mode="IN" optional="false"/> <attribute name="plainBody" type="String" mode="IN" optional="false"/> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> <override name="contentId" optional="true" mode="INOUT"/> </service> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" @@ -400,7 +400,7 @@ under the License. <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> <attribute name="plainBody" type="String" mode="IN" optional="true"/> <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" location="component://product/minilang/product/product/ProductContentServices.xml" invoke="createDownloadContentForProduct" auth="true"> @@ -426,7 +426,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -436,13 +436,13 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="createSimpleTextContentForAlternateLocale" engine="simple" location="component://product/minilang/product/product/ProductContentServices.xml" invoke="createSimpleTextContentForAlternateLocale"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="mainContentId" type="String" mode="IN" optional="false"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> <override name="localeString" optional="false"/> <override name="contentId" mode="INOUT"/> </service> @@ -940,7 +940,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -950,7 +950,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="updateContentSEOForCategory" engine="simple" @@ -1173,7 +1173,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> <override name="contentId" optional="true"/> </service> <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" @@ -1182,7 +1182,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> </service> <service name="getProductFeaturesByType" engine="java" location="org.apache.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> Modified: ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services_pricepromo.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services_pricepromo.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/product/servicedef/services_pricepromo.xml Fri May 24 13:47:08 2019 @@ -132,7 +132,7 @@ under the License. <auto-attributes include="pk" mode="OUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="promoName" optional="false"/> - <override name="promoText" allow-html="any"/> + <override name="promoText" allow-html="safe"/> <override name="userEntered" default-value="Y"/> </service> <service name="updateProductPromo" default-entity-name="ProductPromo" engine="entity-auto" invoke="update" auth="true"> @@ -140,7 +140,7 @@ under the License. <permission-service service-name="productPriceGenericPermission" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="promoText" allow-html="any"/> + <override name="promoText" allow-html="safe"/> <override name="userEntered" default-value="Y"/> </service> <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="entity-auto" invoke="delete" auth="true"> Modified: ofbiz/ofbiz-framework/trunk/applications/workeffort/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/workeffort/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/applications/workeffort/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/workeffort/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -35,8 +35,8 @@ under the License. <exclude field-name="lastModifiedDate"/> <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> - <override name="workEffortName" allow-html="any"/> - <override name="description" allow-html="any"/> + <override name="workEffortName" allow-html="safe"/> + <override name="description" allow-html="safe"/> </service> <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" location="component://workeffort/minilang/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> <override name="workEffortTypeId" optional="false"/> - <override name="workEffortName" optional="false" allow-html="any"/> + <override name="workEffortName" optional="false" allow-html="safe"/> <override name="currentStatusId" optional="false"/> - <override name="description" allow-html="any"/> + <override name="description" allow-html="safe"/> </service> <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" location="component://workeffort/minilang/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffortAndPartyAssign"> @@ -783,7 +783,7 @@ under the License. <fail-property resource="WorkEffortUiLabels" property="WorkEffortRequiredFieldMissingWorkEffortId"/> </type-validate> </override> - <override name="description" allow-html="any"/> + <override name="description" allow-html="safe"/> </service> <service name="deleteWorkEffortRequest" engine="entity-auto" default-entity-name="CustRequestWorkEffort" invoke="delete" auth="true"> <description>Deletes a CustRequestWorkEffort</description> Modified: ofbiz/ofbiz-framework/trunk/framework/base/config/owasp.properties URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/config/owasp.properties?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/base/config/owasp.properties (original) +++ ofbiz/ofbiz-framework/trunk/framework/base/config/owasp.properties Fri May 24 13:47:08 2019 @@ -24,10 +24,14 @@ # By default we use a permissive sanitizer policy # This has a slight impact on the code rendered, see last comments in OFBIZ-6669. # Given as an example based on rendering cmssite, as it was before using the sanitizer. -# You might even want to adapt the PERMISSIVE_POLICY to your needs. +# You might want to adapt the PERMISSIVE_POLICY to your needs. # Be sure to check https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet before... - -# Use sanitizer.permissive.policy=CUSTOM to use your custom PolicyFactory sanitizer.enable=true + +# Use sanitizer.permissive.policy=CUSTOM to use your custom permissive PolicyFactory (see OFBIZ-10187) sanitizer.permissive.policy=DEFAULT -sanitizer.custom.policy.class=org.apache.ofbiz.base.html.CustomPermissivePolicy \ No newline at end of file +sanitizer.custom.permissive.policy.class=org.apache.ofbiz.base.html.CustomPermissivePolicy + +# Use sanitizer.safe.policy=CUSTOM to use your custom safe PolicyFactory (see OFBIZ-5254) +sanitizer.safe.policy=DEFAULT +sanitizer.custom.safe.policy.class=org.apache.ofbiz.base.html.CustomSafePolicy \ No newline at end of file Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java?rev=1859877&view=auto ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java (added) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java Fri May 24 13:47:08 2019 @@ -0,0 +1,53 @@ +package org.apache.ofbiz.base.html; + +import java.util.regex.Pattern; + +import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.PolicyFactory; + +/** + * Based on the + * <a href="http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file">AntiSamy Slashdot example</a>. + * Slashdot (http://www.slashdot.org/) is a techie news site that allows users + * to respond anonymously to news posts with very limited HTML markup. Now + * Slashdot is not only one of the coolest sites around, it's also one that's + * been subject to many different successful attacks. Even more unfortunate is + * the fact that most of the attacks led users to the infamous goatse.cx picture + * (please don't go look it up). The rules for Slashdot are fairly strict: users + * can only submit the following HTML tags and no CSS: {@code <b>}, {@code <u>}, + * {@code <i>}, {@code <a>}, {@code <blockquote>}. + * + * Accordingly, we've built a policy file that allows fairly similar + * functionality. All text-formatting tags that operate directly on the font, + * color or emphasis have been allowed. + */ +public class CustomSafePolicy implements SanitizerCustomPolicy { + + /** + * A policy that can be used to produce policies that sanitize to HTML sinks via + * {@link PolicyFactory#apply}. + */ + public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder() + .allowStandardUrlProtocols() + // Allow title="..." on any element. + .allowAttributes("title").globally() + // Allow href="..." on <a> elements. + .allowAttributes("href").onElements("a") + // Defeat link spammers. + .requireRelNofollowOnLinks() + // Allow lang= with an alphabetic value on any element. + .allowAttributes("lang").matching(Pattern.compile("[a-zA-Z]{2,20}")) + .globally() + // The align attribute on <p> elements can have any value below. + .allowAttributes("align") + .matching(true, "center", "left", "right", "justify", "char") + .onElements("p") + // These elements are allowed. + .allowElements("a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong","br", "ul", "ol", "li") + .toFactory(); + + @Override + public PolicyFactory getSanitizerPolicy() { + return POLICY_DEFINITION; + } +} Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Fri May 24 13:47:08 2019 @@ -29,6 +29,7 @@ import java.util.Collection; import java.util.Collections; import java.util.Iterator; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Set; @@ -118,8 +119,8 @@ public class UtilCodec { * This method will start a configurable sanitizing process. The sanitizer can * be turns off through "sanitizer.enable=false", the default value is true. It * is possible to configure a custom policy using the properties - * "sanitizer.permissive.policy" and "sanitizer.custom.policy.class". The custom - * policy has to implement + * "sanitizer.permissive.policy" and "sanitizer.custom.permissive.policy.class". + * The custom policy has to implement * {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}. * * @param original @@ -146,7 +147,7 @@ public class UtilCodec { PolicyFactory policy = null; try { Class<?> customPolicyClass = Class.forName(UtilProperties.getPropertyValue("owasp", - "sanitizer.custom.policy.class")); + "sanitizer.custom.permissive.policy.class")); Object obj = customPolicyClass.newInstance(); if (SanitizerCustomPolicy.class.isAssignableFrom(customPolicyClass)) { Method meth = customPolicyClass.getMethod("getSanitizerPolicy"); @@ -156,7 +157,7 @@ public class UtilCodec { | InvocationTargetException | NoSuchMethodException | SecurityException | InstantiationException e) { // Just logging the error and falling back to default policy - Debug.logError(e, "Could not find custom sanitizer policy. Using default instead", module); + Debug.logError(e, "Could not find custom permissive sanitizer policy. Using default instead", module); } if (policy != null) { @@ -372,45 +373,69 @@ public class UtilCodec { /** * Uses a black-list approach for necessary characters for HTML. - * <p> * Does not allow various characters (after canonicalization), including - * "<", ">", "&" (if not followed by a space), and "%" (if not - * followed by a space). + * "<", ">", "&" and "%" (if not followed by a space). * * Also does not allow js events as in OFBIZ-10054 * - * @param value - * @param errorMessageList + * @param valueName field name checked + * @param value value checked + * @param errorMessageList an empty list passed by and modified in case of issues + * @param locale */ - public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList) { + public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList, + Locale locale) { if (UtilValidate.isEmpty(value)) { return value; } + // canonicalize, strict (error on double-encoding) try { value = canonicalize(value, true); } catch (IntrusionException e) { // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical - Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" - + valueName + "], String [" + value + "]: " + e.toString(), module); - errorMessageList.add("In field [" + valueName - + "] found character escaping (mixed or double) that is not allowed or other format consistency error: " + e.toString()); + Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) " + + "error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module); + String issueMsg = null; + if (locale.equals(new Locale("test"))) { // labels are not available in testClasses Gradle task + issueMsg = "In field [" + valueName + "] found character escaping (mixed or double) " + + "that is not allowed or other format consistency error: "; + } else { + issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneMixedOrDouble", + UtilMisc.toMap("valueName", valueName), locale); + } + errorMessageList.add(issueMsg + e.toString()); } // check for "<", ">" if (value.indexOf("<") >= 0 || value.indexOf(">") >= 0) { - errorMessageList.add("In field [" + valueName + "] less-than (<) and greater-than (>) symbols are not allowed."); + String issueMsg = null; + if (locale.equals(new Locale("test"))) { + issueMsg = "In field [" + valueName + "] less-than (<) and greater-than (>) symbols are not allowed."; + } else { + issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneLess-thanGreater-than", + UtilMisc.toMap("valueName", valueName), locale); + } + errorMessageList.add(issueMsg); } // check for js events String onEvent = "on" + StringUtils.substringBetween(value, " on", "="); if (jsEventList.stream().anyMatch(str -> StringUtils.containsIgnoreCase(str, onEvent)) || value.contains("seekSegmentTime")) { - errorMessageList.add("In field [" + valueName + "] js events are not allowed."); + String issueMsg = null; + if (locale.equals(new Locale("test"))) { + issueMsg = "In field [" + valueName + "] Javascript events are not allowed."; + } else { + issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicyNoneJsEvents", + UtilMisc.toMap("valueName", valueName), locale); + } + errorMessageList.add(issueMsg); } // TODO: anything else to check for that can be used to get HTML or JavaScript going without these characters? + // // Another would be https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding // But all our Tomcat connectors use UTF-8 // We don't care about Flash now rather deprecated @@ -420,6 +445,57 @@ public class UtilCodec { } /** + * This method check if the input is safe HTML. + * It is possible to configure a safe policy using the properties + * "sanitizer.safe.policy" and "sanitizer.custom.safe.policy.class". + * The safe policy has to implement + * {@link org.apache.ofbiz.base.html.SanitizerCustomPolicy}. + * + * @param valueName field name checked + * @param value value checked + * @param errorMessageList an empty list passed by and modified in case of issues + * @param locale + */ + public static String checkStringForHtmlSafe(String valueName, String value, List<String> errorMessageList, + Locale locale) { + PolicyFactory policy = null; + try { + Class<?> customPolicyClass = null; + if (locale.equals(new Locale("test"))) { + customPolicyClass = Class.forName("org.apache.ofbiz.base.html.CustomSafePolicy"); + } else { + customPolicyClass = Class.forName(UtilProperties.getPropertyValue("owasp", + "sanitizer.custom.safe.policy.class")); + } + Object obj = customPolicyClass.newInstance(); + if (SanitizerCustomPolicy.class.isAssignableFrom(customPolicyClass)) { + Method meth = customPolicyClass.getMethod("getSanitizerPolicy"); + policy = (PolicyFactory) meth.invoke(obj); + } + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException + | InvocationTargetException | NoSuchMethodException | SecurityException + | InstantiationException e) { + Debug.logError(e, "Could not find custom safe sanitizer policy. Using default instead." + + "Beware: the result is not rightly checked!", module); + } + + String filtered = policy.sanitize(value); + if (!value.equals(filtered)) { + String issueMsg = null; + if (locale.equals(new Locale("test"))) { + issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted " + + "for security reason. Please check and modify accordingly, thanks."; + } else { + issueMsg = UtilProperties.getMessage("SecurityUiLabels","PolicySafe", + UtilMisc.toMap("valueName", valueName), locale); + } + errorMessageList.add(issueMsg); + } + + return value; + } + + /** * A simple Map wrapper class that will do HTML encoding. * To be used for passing a Map to something that will expand Strings with it as a context, etc. */ Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java Fri May 24 13:47:08 2019 @@ -24,6 +24,7 @@ import static org.junit.Assert.assertNul import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Locale; import org.junit.Test; @@ -40,7 +41,7 @@ public class UtilCodecTests { public void checkStringForHtmlStrictNoneDetectsXSS() { String xssVector = "<script>alert(\"XSS vector\");</script>"; List<String> errorList = new ArrayList<>(); - String canonicalizedXssVector = UtilCodec.checkStringForHtmlStrictNone("fieldName", xssVector, errorList); + String canonicalizedXssVector = UtilCodec.checkStringForHtmlStrictNone("fieldName", xssVector, errorList, new Locale("test")); assertEquals("<script>alert(\"XSS vector\");</script>", canonicalizedXssVector); assertEquals(1, errorList.size()); assertEquals("In field [fieldName] less-than (<) and greater-than (>) symbols are not allowed.", errorList.get(0)); @@ -70,6 +71,7 @@ public class UtilCodecTests { // jacopoc: temporarily commented because this test is failing after the upgrade of owasp-esapi (still investigating) //checkStringForHtmlStrictNone_test("double-ampersand", "f\";oo", "f%26quot%3boo"); checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript", "%2%353Cscript", "In field [double-encoding] found character escaping (mixed or double) that is not allowed or other format consistency error: org.apache.ofbiz.base.util.UtilCodec$IntrusionException: Input validation failure"); + checkStringForHtmlStrictNone_test("js_event", "non_existent.foo\" onerror=\"alert('Hi!');", "non_existent.foo\" onerror=\"alert('Hi!');", "In field [js_event] Javascript events are not allowed."); } private static void encoderTest(String label, UtilCodec.SimpleEncoder encoder, String wanted, String toEncode) { @@ -78,8 +80,21 @@ public class UtilCodecTests { } private static void checkStringForHtmlStrictNone_test(String label, String fixed, String input, String... wantedMessages) { List<String> gottenMessages = new ArrayList<>(); - assertEquals(label, fixed, UtilCodec.checkStringForHtmlStrictNone(label, input, gottenMessages)); + assertEquals(label, fixed, UtilCodec.checkStringForHtmlStrictNone(label, input, gottenMessages, new Locale("test"))); assertEquals(label, Arrays.asList(wantedMessages), gottenMessages); } + + @Test + public void testCheckStringForHtmlSafe() { + String xssVector = "<script>alert('XSS vector');</script>"; + List<String> errorList = new ArrayList<>(); + String canonicalizedXssVector = UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList, new Locale("test")); + assertEquals("<script>alert('XSS vector');</script>", canonicalizedXssVector); + assertEquals(1, errorList.size()); + assertEquals("In field [fieldName] by our input policy, your input has not been accepted for security reason. " + + "Please check and modify accordingly, thanks.", errorList.get(0)); + } + + } Modified: ofbiz/ofbiz-framework/trunk/framework/common/config/SecurityUiLabels.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/config/SecurityUiLabels.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/common/config/SecurityUiLabels.xml (original) +++ ofbiz/ofbiz-framework/trunk/framework/common/config/SecurityUiLabels.xml Fri May 24 13:47:08 2019 @@ -695,6 +695,22 @@ <value xml:lang="zh">åä¿æ¤çè§å¾</value> <value xml:lang="zh-TW">åä¿è·ç檢è¦</value> </property> + <property key="PolicyNoneMixedOrDouble"> + <value xml:lang="en">In field [${valueName}] found character escaping (mixed or double) that is not allowed or other format consistency error: </value> + <value xml:lang="fr">Le champ "${valueName}" contient un caractère d'échappement (mixte ou double) qui n'est pas autorisé ou une autre erreur de cohérence de format : </value> + </property> + <property key="PolicyNoneLess-thanGreater-than"> + <value xml:lang="en">In field [${valueName}] less-than (<) and greater-than (>) symbols are not allowed.</value> + <value xml:lang="fr">Dans le champ "${valueName}" les symboles inférieurs (<) et supérieurs (>) ne sont pas autorisés.</value> + </property> + <property key="PolicyNoneJsEvents"> + <value xml:lang="en">In field [${valueName}] Javascript events are not allowed.</value> + <value xml:lang="fr">Dans le champ "${valueName}" les événements Javascript ne sont pas autorisés.</value> + </property> + <property key="PolicySafe"> + <value xml:lang="en">In field [${valueName}] by our input policy, your input has not been accepted for security reason. Please check and modify accordingly, thanks.</value> + <value xml:lang="fr">Dans le champ "${valueName}", conformément à notre politique de saisie, votre saisie n'a pas été acceptée pour des raisons de sécurité. Veuillez vérifier et modifier en conséquence, merci.</value> + </property> <property key="ResetPassword"> <value xml:lang="en">Click Here To Reset Password</value> <value xml:lang="fr">Cliquez ici pour créer un nouveau mot de passe</value> Modified: ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml (original) +++ ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml Fri May 24 13:47:08 2019 @@ -63,7 +63,7 @@ under the License. <description>Create a new note record</description> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> - <attribute name="note" type="String" mode="IN" allow-html="any"/> + <attribute name="note" type="String" mode="IN" allow-html="safe"/> <attribute name="noteId" type="String" mode="OUT"/> </service> @@ -71,7 +71,7 @@ under the License. <description>Update a note record</description> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="noteInfo" allow-html="any"/> + <override name="noteInfo" allow-html="safe"/> </service> <service name="adjustDebugLevels" engine="java" @@ -100,7 +100,7 @@ under the License. <auto-attributes include="pk" mode="OUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="enumTypeId" optional="false"/> - <override name="description" optional="false" allow-html="any"/> + <override name="description" optional="false" allow-html="safe"/> </service> <service name="updateEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="update" auth="true"> <description>Update a Enumeration</description> @@ -108,7 +108,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="enumTypeId" optional="false"/> - <override name="description" optional="false" allow-html="any"/> + <override name="description" optional="false" allow-html="safe"/> </service> <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> <description>Delete a Enumeration</description> Modified: ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services_email.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services_email.xml?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services_email.xml (original) +++ ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services_email.xml Fri May 24 13:47:08 2019 @@ -42,7 +42,7 @@ under the License. <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> <attribute name="contentType" type="String" mode="INOUT" optional="true"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> <attribute name="messageId" type="String" mode="INOUT" optional="true"/> @@ -52,12 +52,12 @@ under the License. <attribute name="custRequestId" type="String" mode="INOUT" optional="true"/> <attribute name="messageWrapper" type="org.apache.ofbiz.service.mail.MimeMessageWrapper" mode="OUT" optional="true"/><!-- mail can be disabled in general.properties so no output --> <!-- used for parsing and ECAs --> - <attribute name="communicationEventId" type="String" mode="INOUT" optional="true"/> + <attribute name="communicationEventId" type="String" mode="INOUT" optional="true"/> </service> <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> <description>Interface service for sendMail* services.</description> <implements service="sendMailInterface"/> - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> <override name="contentType" mode="INOUT"/> <override name="subject" mode="INOUT" optional="false"/> <override name="emailType" type="String" mode="INOUT" optional="true"/> @@ -122,7 +122,7 @@ under the License. location="org.apache.ofbiz.common.email.EmailServices" invoke="sendMailFromScreen"> <description>Send E-Mail From Screen Widget Service</description> <implements service="sendMailFromScreenInterface"/> - <attribute name="hideInLog" type="Boolean" mode="IN" optional="true"/> + <attribute name="hideInLog" type="Boolean" mode="IN" optional="true"/> </service> <service name="sendMailHiddenInLogFromScreen" max-retry="3" engine="java" hideResultInLog="true" location="org.apache.ofbiz.common.email.EmailServices" invoke="sendMailHiddenInLogFromScreen"> @@ -147,7 +147,7 @@ under the License. <description>Send Template Based Notification Service</description> <implements service="sendMailInterface"/> <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> <attribute name="templateName" type="String" mode="IN" optional="false"/> <attribute name="templateData" type="Map" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> Modified: ofbiz/ofbiz-framework/trunk/framework/service/dtd/services.xsd URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/service/dtd/services.xsd?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/service/dtd/services.xsd (original) +++ ofbiz/ofbiz-framework/trunk/framework/service/dtd/services.xsd Fri May 24 13:47:08 2019 @@ -291,16 +291,13 @@ under the License. <xs:attribute name="allow-html" use="optional" default="none"> <xs:annotation> <xs:documentation> - Applies only to String fields. - Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). - Defaults to "none" meaning no HTML is allowed (will result in an error message). - If some HTML is desired then use "any". - There was previously "safe" but it's deprecated + See the documentation on the allow-html attribute of the "attribute" element. </xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> @@ -358,12 +355,14 @@ under the License. Applies only to String fields. Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). Defaults to "none" meaning no HTML is allowed (will result in an error message). - If some HTML is desired then use "any". - There was previously "safe" but it's deprecated + If some HTML is desired then use "safe" which will follow the rules in the default custom safe policy file (CustomSafePolicy.java, see also owasp.properties). + This should be safe for both internal and public users. You may want to provide your own custom safe policy file to adapt to you needs. + In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check the HTML content at all. </xs:documentation></xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> @@ -411,16 +410,14 @@ under the License. <xs:attribute name="allow-html" use="optional"> <xs:annotation> <xs:documentation> - Applies only to String fields. - Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). - There is no default, "none" means no HTML is allowed (will result in an error message). - If some HTML is desired then use "any". - There was previously "safe" but it's deprecated + See the documentation on the allow-html attribute of the "attribute" element. + Note that it is slightly different here as there is no default. </xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> Modified: ofbiz/ofbiz-framework/trunk/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java?rev=1859877&r1=1859876&r2=1859877&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/service/src/main/java/org/apache/ofbiz/service/ModelService.java Fri May 24 13:47:08 2019 @@ -614,7 +614,11 @@ public class ModelService extends Abstra if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && !"any".equals(modelParam.allowHtml) && (IN_OUT_PARAM.equals(modelParam.mode) || IN_PARAM.equals(modelParam.mode))) { String value = (String) context.get(modelParam.name); - UtilCodec.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); + if ("none".equals(modelParam.allowHtml)) { + UtilCodec.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList, (Locale) context.get("locale")); + } else if ("safe".equals(modelParam.allowHtml)) { + UtilCodec.checkStringForHtmlSafe(modelParam.name, value, errorMessageList, (Locale) context.get("locale")); + } } } if (errorMessageList.size() > 0) { |
Free forum by Nabble | Edit this page |