Author: jleroux
Date: Sat May 25 13:34:49 2019 New Revision: 1859971 URL: http://svn.apache.org/viewvc?rev=1859971&view=rev Log: "Applied fix from trunk framework for revision: 1859968" ------------------------------------------------------------------------ r1859968 | jleroux | 2019-05-25 15:25:34 +0200 (sam. 25 mai 2019) | 16 lignes Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe" (OFBIZ-5254) The testCreateNewRequest was failing due to escaped single quotes in related data in OrderTypeData.xml: subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}" This was a peculiar case that could be generalised to all escapable characters. The general solution is to compare the original value with the filtered value unescaped in UtilCodec::checkStringForHtmlSafe. BTW, weirdly enough StringEscapeUtils::escapeHtml4 does not escape single quote. Another weirdness is the test was passing with plugins data loaded. This is due to duplicated demo data in scrumTypeData.xml (which is actually not only type data, as ever the scrum component is a mess, that's not new and always wonder if we should not get rid of it!) ------------------------------------------------------------------------ Modified: ofbiz/branches/release16.11/ (props changed) ofbiz/branches/release16.11/build.gradle ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Propchange: ofbiz/branches/release16.11/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Sat May 25 13:34:49 2019 @@ -10,5 +10,5 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273, 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,18566 67,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893 +/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273, 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,18566 67,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520 Modified: ofbiz/branches/release16.11/build.gradle URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?rev=1859971&r1=1859970&r2=1859971&view=diff ============================================================================== --- ofbiz/branches/release16.11/build.gradle (original) +++ ofbiz/branches/release16.11/build.gradle Sat May 25 13:34:49 2019 @@ -116,6 +116,7 @@ dependencies { compile 'org.apache.commons:commons-csv:1.1' compile 'org.apache.commons:commons-dbcp2:2.1' compile 'org.apache.commons:commons-lang3:3.9' + compile 'org.apache.commons:commons-text:1.6' compile 'org.apache.geronimo.components:geronimo-transaction:3.1.1' compile 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1' compile 'org.apache.httpcomponents:httpclient-cache:4.4.1' Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java?rev=1859971&r1=1859970&r2=1859971&view=diff ============================================================================== --- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java (original) +++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Sat May 25 13:34:49 2019 @@ -34,6 +34,7 @@ import java.util.Map; import java.util.Set; import org.apache.commons.lang3.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.apache.ofbiz.base.html.SanitizerCustomPolicy; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.HTMLEntityCodec; @@ -406,7 +407,7 @@ public class UtilCodec { } String filtered = policy.sanitize(value); - if (!value.equals(filtered)) { + if (!value.equals(StringEscapeUtils.unescapeHtml4(filtered))) { String issueMsg = null; if (locale.equals(new Locale("test"))) { issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted " |
Free forum by Nabble | Edit this page |