[jira] Commented: (OFBIZ-2645) allow-html in service validation is too restrictive

Mon, 22 Jun 2009 09:02:34 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722656#action_12722656
 ] 

David E. Jones commented on OFBIZ-2645:
---------------------------------------

OFBiz already has functionality to encode output in addition to the 
functionality that filters input. In discussions about this security aspect of 
the project we decided that doing both would be best, especially since there 
are possibilities of holes for both filtering input and encoding output.

Please consider that we want the defaults to be as secure as possible and allow 
ways of doing things in a less restricted way when it is needed. If you find a 
field that needs to have HTML or special characters related to HTML then change 
the allow-html attribute to support that.

In general I would say no, it would not be a good idea to relax the default 
security.

Is there a specific place where you have run into this and would like to 
discuss a change for that, or are you mostly just looking at things generally?

If we do want to consider changing this general policy we should have a 
discussion on the mailing list and see what people think. If there is a general 
consensus then we will go with that, and if not we can always vote on it. The 
best way to start such a discussion would be to write up a proposal and send it 
to the mailing list.

> allow-html in service validation is too restrictive
> ---------------------------------------------------
>
>                 Key: OFBIZ-2645
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2645
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Harmeet Bedi
>             Fix For: SVN trunk
>
>         Attachments: allow-html.diff
>
>
> Service 'IN' parameters are validated. Default is allow-html='none'
> This filters out all the html chars. e.g one cannot set this text "Tom's age 
> is likely > Paul's age"
> '>' is not allowed
> Rederers already escape html, so it may be best to keep validation 
> alllow-html='any'. If service has a need to constrain, service should specify 
> allow-html explicitly.
> Attaching patch. Please let me if this does not make sense.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to