[
https://issues.apache.org/jira/browse/OFBIZ-12653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845819#comment-17845819
]
Chenghu Shan commented on OFBIZ-12653:
--------------------------------------
Hi [~iwolf] ,
I have a question regarding the changes made in this commit.
The last commit contains an contains an additional step by calling a
HtmlSanitzer in UtilCodec::checkStringForHtmlSafe and sanitizing the value
before using the "old" sanitizing method of the policy Object. Would you please
explain to me why this step was added?
Currently, this steps stops attemps of me of saving certain strings to the
database (e.g. by using the createNote service) when that string contains an
mail adress because of @. I'm currently unsure how to proceed because as far as
I understand this process, this additional step bypasses the use of a
CustomSafePolicy class.
Best regards and thanks in advance
Cheng Hu Shan
> Sanitizer <br> fail
> -------------------
>
> Key: OFBIZ-12653
> URL: https://issues.apache.org/jira/browse/OFBIZ-12653
> Project: OFBiz
> Issue Type: Bug
> Components: content
> Affects Versions: Upcoming Branch
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 22.01.01
>
> Attachments: CustomSafePolicy.patch, OFBIZ-12653.patch,
> UtilCodec.patch
>
>
> I copied a text with multiple lines from a text editor into the Trumbowyg
> Html field.The editor creates the Html structure using unclosed <br> elements.
> Unfortunately the sanitizer logic just takes <br />. A security warning is
> thrown and the content will not be stored.
> Issue also a request on Trumbowyg request list:
> [https://github.com/Alex-D/Trumbowyg/issues/1283]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
