Author: jleroux
Date: Sat May 25 13:25:34 2019
New Revision: 1859968
URL:
http://svn.apache.org/viewvc?rev=1859968&view=revLog:
Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe"
(OFBIZ-5254)
The testCreateNewRequest was failing due to escaped single quotes in related
data in OrderTypeData.xml:
subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}"
This was a peculiar case that could be generalised to all escapable characters.
The general solution is to compare the original value with the filtered value
unescaped in UtilCodec::checkStringForHtmlSafe.
BTW, weirdly enough StringEscapeUtils::escapeHtml4 does not escape single quote.
Another weirdness is the test was passing with plugins data loaded. This is due
to duplicated demo data in scrumTypeData.xml (which is actually not only type
data, as ever the scrum component is a mess, that's not new and always wonder
if we should not get rid of it!)
Modified:
ofbiz/ofbiz-framework/trunk/build.gradle
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
Modified: ofbiz/ofbiz-framework/trunk/build.gradle
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?rev=1859968&r1=1859967&r2=1859968&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/build.gradle (original)
+++ ofbiz/ofbiz-framework/trunk/build.gradle Sat May 25 13:25:34 2019
@@ -168,9 +168,9 @@ dependencies {
implementation 'com.sun.syndication:com.springsource.com.sun.syndication:0.9.0'
implementation 'com.thoughtworks.xstream:xstream:1.4.11.1'
implementation 'commons-cli:commons-cli:1.4'
+ implementation 'commons-fileupload:commons-fileupload:1.4'
implementation 'commons-net:commons-net:3.6'
implementation 'commons-validator:commons-validator:1.6'
- implementation 'commons-fileupload:commons-fileupload:1.4'
implementation 'de.odysseus.juel:juel-impl:2.2.7'
implementation 'javax.el:javax.el-api:3.0.1-b06'
implementation 'javax.servlet:javax.servlet-api:4.0.1'
@@ -182,6 +182,7 @@ dependencies {
implementation 'org.apache.commons:commons-collections4:4.3'
implementation 'org.apache.commons:commons-csv:1.6'
implementation 'org.apache.commons:commons-dbcp2:2.6.0' // When changing for 2.6.1+ we can remove ManagedDataSource::close, see DBCP-539
+ implementation 'org.apache.commons:commons-text:1.6'
implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.8'
Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java?rev=1859968&r1=1859967&r2=1859968&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Sat May 25 13:25:34 2019
@@ -34,6 +34,7 @@ import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
import org.apache.ofbiz.base.html.SanitizerCustomPolicy;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.HTMLEntityCodec;
@@ -480,7 +481,7 @@ public class UtilCodec {
}
String filtered = policy.sanitize(value);
- if (!value.equals(filtered)) {
+ if (!value.equals(StringEscapeUtils.unescapeHtml4(filtered))) {
String issueMsg = null;
if (locale.equals(new Locale("test"))) {
issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted "
Locked
