ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Choudhary (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (OFBIZ-11265) Getting policy error while editing html text data using cms
Date Fri, 01 Nov 2019 04:31:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16963696#comment-16963696
] 

Pradeep Choudhary edited comment on OFBIZ-11265 at 11/1/19 4:30 AM:
--------------------------------------------------------------------

As checked, data sanitization takes place in service validation in the following steps:
 # If the service parameter contains allow-html="safe", it calls *UtilCodec.checkStringForHtmlSafe*
method for data sanitization.
 # It doesn't check the OWASP sanitizer configuration ie. sanitizer is enabled or disabled.
 # Perform policy checks and sanitization without entertaining the configuration flag.

 

IMO, UtilCodec.checkStringForHtmlSafe method should have proper checks to validate sanitizer
configuration, which will perform the further operation only if the user enables the flag.

 

WDYT?

 


was (Author: pradeep.choudhary1994):
As checked, data sanitization takes place during the service validation in the following steps:
 # If the service parameter contains allow-html="safe", it calls *UtilCodec.checkStringForHtmlSafe*
method for data sanitization.
 # It doesn't check the OWASP sanitizer configuration ie. sanitizer is enabled or disabled.
 # Perform policy checks and sanitization without entertaining the configuration flag.

 

IMO, UtilCodec.checkStringForHtmlSafe method should have proper checks to validate sanitizer
configuration, which will perform the further operation only if the user enables the flag.

 

WDYT?

 

> Getting policy error while editing html text data using cms
> -----------------------------------------------------------
>
>                 Key: OFBIZ-11265
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11265
>             Project: OFBiz
>          Issue Type: Improvement
>            Reporter: Pradeep Choudhary
>            Priority: Major
>             Fix For: 17.12.01
>
>
> Service parameter with allow-html="safe" does not check the OWASP sanitizer flag ie.
enabled or not and perform sanitization which causing policy error while editing text data
> getting following exception error:
> "In field [textData] by our input policy, your input has not been accepted for security
reason. Please check and modify accordingly, thanks."



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message