[ https://issues.apache.org/jira/browse/OFBIZ-12653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17845819#comment-17845819 ]
Chenghu Shan commented on OFBIZ-12653: -------------------------------------- Hi [~iwolf] , I have a question regarding the changes made in this commit. The last commit contains an contains an additional step by calling a HtmlSanitzer in UtilCodec::checkStringForHtmlSafe and sanitizing the value before using the "old" sanitizing method of the policy Object. Would you please explain to me why this step was added? Currently, this steps stops attemps of me of saving certain strings to the database (e.g. by using the createNote service) when that string contains an mail adress because of @. I'm currently unsure how to proceed because as far as I understand this process, this additional step bypasses the use of a CustomSafePolicy class. Best regards and thanks in advance Cheng Hu Shan > Sanitizer <br> fail > ------------------- > > Key: OFBIZ-12653 > URL: https://issues.apache.org/jira/browse/OFBIZ-12653 > Project: OFBiz > Issue Type: Bug > Components: content > Affects Versions: Upcoming Branch > Reporter: Ingo Wolfmayr > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01 > > Attachments: CustomSafePolicy.patch, OFBIZ-12653.patch, > UtilCodec.patch > > > I copied a text with multiple lines from a text editor into the Trumbowyg > Html field.The editor creates the Html structure using unclosed <br> elements. > Unfortunately the sanitizer logic just takes <br />. A security warning is > thrown and the content will not be stored. > Issue also a request on Trumbowyg request list: > [https://github.com/Alex-D/Trumbowyg/issues/1283] -- This message was sent by Atlassian Jira (v8.20.10#820010)