svn commit: r1859971 - in /ofbiz/branches/release16.11: ./ build.gradle framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1859971 - in /ofbiz/branches/release16.11: ./ build.gradle framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

jleroux@apache.org
Author: jleroux
Date: Sat May 25 13:34:49 2019
New Revision: 1859971

URL: http://svn.apache.org/viewvc?rev=1859971&view=rev
Log:
"Applied fix from trunk framework for revision: 1859968"
------------------------------------------------------------------------
r1859968 | jleroux | 2019-05-25 15:25:34 +0200 (sam. 25 mai 2019) | 16 lignes

Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe"
(OFBIZ-5254)

The testCreateNewRequest was failing due to escaped single quotes in related
data in OrderTypeData.xml:
subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}"

This was a peculiar case that could be generalised to all escapable characters.
The general solution is to compare the original value with the filtered value
unescaped in UtilCodec::checkStringForHtmlSafe.
BTW, weirdly enough StringEscapeUtils::escapeHtml4 does not escape single quote.

Another weirdness is the test was passing with plugins data loaded. This is due
to duplicated demo data in scrumTypeData.xml (which is actually not only type
data, as ever the scrum component is a mess, that's not new and always wonder
if we should not get rid of it!)
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/build.gradle
    ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat May 25 13:34:49 2019
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,18566
 67,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,18566
 67,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?rev=1859971&r1=1859970&r2=1859971&view=diff
==============================================================================
--- ofbiz/branches/release16.11/build.gradle (original)
+++ ofbiz/branches/release16.11/build.gradle Sat May 25 13:34:49 2019
@@ -116,6 +116,7 @@ dependencies {
     compile 'org.apache.commons:commons-csv:1.1'
     compile 'org.apache.commons:commons-dbcp2:2.1'
     compile 'org.apache.commons:commons-lang3:3.9'
+    compile 'org.apache.commons:commons-text:1.6'
     compile 'org.apache.geronimo.components:geronimo-transaction:3.1.1'
     compile 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
     compile 'org.apache.httpcomponents:httpclient-cache:4.4.1'

Modified: ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java?rev=1859971&r1=1859970&r2=1859971&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java (original)
+++ ofbiz/branches/release16.11/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java Sat May 25 13:34:49 2019
@@ -34,6 +34,7 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.ofbiz.base.html.SanitizerCustomPolicy;
 import org.owasp.esapi.codecs.Codec;
 import org.owasp.esapi.codecs.HTMLEntityCodec;
@@ -406,7 +407,7 @@ public class UtilCodec {
         }
 
         String filtered = policy.sanitize(value);
-        if (!value.equals(filtered)) {
+        if (!value.equals(StringEscapeUtils.unescapeHtml4(filtered))) {
             String issueMsg = null;
             if (locale.equals(new Locale("test"))) {
                 issueMsg = "In field [" + valueName + "] by our input policy, your input has not been accepted "