ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jler...@apache.org
Subject svn commit: r1720100 - /ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java
Date Tue, 15 Dec 2015 09:30:31 GMT 
Author: jleroux
Date: Tue Dec 15 09:30:30 2015
New Revision: 1720100

URL: http://svn.apache.org/viewvc?rev=1720100&view=rev
Log:
A patch from Supachai Chaima-ngua for <<The renderContentAsText method should configure
text sanitizer by "sanitizer.permissive.policy" in owasp.properties.>> https://issues.apache.org/jira/browse/OFBIZ-6769

An error is displayed on Accounting reports for Cash transactions:The renderContentAsText
method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties.
If electronic text contains javascript, the renderContentAsText method will remove some content.

jleroux: of course you would allow script in your permissive policy at your own risk...

Modified:
    ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1720100&r1=1720099&r2=1720100&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentWorker.java Tue
Dec 15 09:30:30 2015
@@ -39,6 +39,7 @@ import org.ofbiz.base.util.UtilCodec;
 import org.ofbiz.base.util.UtilDateTime;
 import org.ofbiz.base.util.UtilGenerics;
 import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilProperties;
 import org.ofbiz.base.util.UtilValidate;
 import org.ofbiz.base.util.string.FlexibleStringExpander;
 import org.ofbiz.content.ContentManagementWorker;
@@ -337,7 +338,7 @@ public class ContentWorker implements or
         renderContentAsText(dispatcher, delegator, contentId, writer, templateContext, locale,
mimeTypeId, null, null, cache);
         String rendered = writer.toString();
         // According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
-        // Normally head should be protected by X-XSS-Protection Response Header by default
+        // Normally head should be protected by X-XSS-Protection Response Header by default
(not Firefox)
         if ((rendered.contains("<script>")
                 || rendered.contains("<!--")
                 || rendered.contains("<div")
@@ -346,7 +347,8 @@ public class ContentWorker implements or
                 || rendered.contains("<input")
                 || rendered.contains("<input")
                 || rendered.contains("<iframe")
-                || rendered.contains("<a"))) {
+                || rendered.contains("<a"))
+                && !UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.permissive.policy",
false)) {
             rendered = encoder.sanitize(rendered);
         }
         return rendered;
Mime
View raw message