ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-7675) Investigate if we should turn Freemarker autoescaping on
Date Tue, 30 Jan 2018 14:42:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16345127#comment-16345127
] 

Jacques Le Roux commented on OFBIZ-7675:
----------------------------------------

After looking at OFBIZ-10187 today, it remembered me this OWASP advice:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Bonus_Rule_.233:_Use_an_Auto-Escaping_Template_System


> Investigate if we should turn Freemarker autoescaping on
> --------------------------------------------------------
>
>                 Key: OFBIZ-7675
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7675
>             Project: OFBiz
>          Issue Type: New Feature
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Priority: Minor
>             Fix For: 17.12.01
>
>
> At OFBIZ-7041 [~fbr@14x.net] suggested that we turn Freemarker autoescaping on. Quoting
him there:
> {quote}
> This new version of FreeMarker includes auto-escaping and output formats. The <#escape>
directive has been deprecated. Notice the comment at the very end of this page:
> "FreeMarker automatically escapes all values printed ... if it's properly configured
(that's the responsibility of the programmers; [see here how|http://freemarker.org/docs/pgui_config_outputformatsautoesc.html])."
> Would be good to turn autoescaping on, and set the configuration to match .ftl as HTML
and .fo.ftl as XML.
> {quote}
> [~pfm.smits] asked 
> {quote}
> If we are going down that path I guess we have to visit a lot of Freemarker template
files, right?
> {quote}
> Here is my answer
> {quote}
> We don' t use any <#escape> directives in all OFBiz. We have a couple of <#noescape>
which should be replaced by <#noautoesc>. So I agree we could set the Freemarker environement
to auto-escaping, and test if it has not unexpected side-effects.
> Could be that this will fix or complicate the issue I crossed (at bottom) of OFBIZ-7041
and more recently at OFBIZ-7343, let's see...
> {quote}
> Reply



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message