[ https://issues.apache.org/jira/browse/OFBIZ-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722656#action_12722656 ]
David E. Jones commented on OFBIZ-2645: --------------------------------------- OFBiz already has functionality to encode output in addition to the functionality that filters input. In discussions about this security aspect of the project we decided that doing both would be best, especially since there are possibilities of holes for both filtering input and encoding output. Please consider that we want the defaults to be as secure as possible and allow ways of doing things in a less restricted way when it is needed. If you find a field that needs to have HTML or special characters related to HTML then change the allow-html attribute to support that. In general I would say no, it would not be a good idea to relax the default security. Is there a specific place where you have run into this and would like to discuss a change for that, or are you mostly just looking at things generally? If we do want to consider changing this general policy we should have a discussion on the mailing list and see what people think. If there is a general consensus then we will go with that, and if not we can always vote on it. The best way to start such a discussion would be to write up a proposal and send it to the mailing list. > allow-html in service validation is too restrictive > --------------------------------------------------- > > Key: OFBIZ-2645 > URL: https://issues.apache.org/jira/browse/OFBIZ-2645 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Harmeet Bedi > Fix For: SVN trunk > > Attachments: allow-html.diff > > > Service 'IN' parameters are validated. Default is allow-html='none' > This filters out all the html chars. e.g one cannot set this text "Tom's age > is likely > Paul's age" > '>' is not allowed > Rederers already escape html, so it may be best to keep validation > alllow-html='any'. If service has a need to constrain, service should specify > allow-html explicitly. > Attaching patch. Please let me if this does not make sense. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.