I thought David had a good reason to do that. But I must say I did not take the
time to check what it was. So I preferred to be safe than sorry.
As long as services (chained or not) are working on data for webapps, "safe" is
not needed. Security is already handled at this level (encoded when rendered).
And I see a lot of services (among the 117 instances concerned...), only used
by the UI wich had "safe" and would have actually removed all HTML tags, where
I believe it's no needed (since the webapp will take care when rendering) and
could be even counter productive.
Using what you propose, current state would be changed, though not without
reverting my changes from "safe" to "any". Of course, putting the email
services apart. I already reported in the Jira issue: "any" is absolutely
needed there.
But, yes we can think about cases where using "safe" would be... er... safer.
For instance, external services calls, and maybe some internal cases. I did not
check which ones in the 117, and I believe not currently OOTB because those are
used for entity creation/update from/to the UI.
Using "safe" in those cases would remove any strings like '<script> alert("XSS
issue")</script>' but would keep only strings inside other HTML tags (not the
tags which is IMO an issue, but can be addressed otherwise)
If it's what we want (all HTML tags removed) then it can be easily done using
StringUtil.checkStringForHtmlSafeOnly() with the current defaultWebValidator
configuration.
And I agree, it would add a plus a the current situation... I hope it will not
open a can of worms David tried to close...
While at it, avoiding to remove all HTML tags would be even better, keeping
only the safe static ones (ie removing all '<script>...</script>' types). Maybe
it's a matter of configuring defaultWebValidator, I stopped there for now...
Jacques
Adrian Crum wrote:
> I don't see what the problem is.
>
> Service A, foo parameter includes "alert(...);", that code is stripped
> from foo parameter, then Service A invokes Service B with foo parameter,
> Service B has a cleaned version of foo.
>
> It's not that complicated.
>
> Adrian Crum
> Sandglass Software
> www.sandglass-software.com
>
> On 10/28/2013 5:48 AM, Jacques Le Roux wrote:
>> This was done by David and I believe he was right on this. See his comment at
>> http://svn.apache.org/viewvc?view=revision&revision=751990
>>
>> If we want to handle safe we would need to treat direct services calls and
>> services calling other services differently
>> It would get overcomplicated and anyway I don't think we need that.
>>
>> Jacques
>>
>> Adrian Crum wrote:
>>> Why don't we change it so allow-html="safe" does what it says - allow
>>> only "safe" HTML?
>>>
>>> Adrian Crum
>>> Sandglass Software
>>> www.sandglass-software.com
>>>
>>> On 10/28/2013 12:44 AM, Jacques Le Roux wrote:
>>>> Hi,
>>>>
>>>> I wonder if we should not backport in releases the changes I will do for
>>>> https://issues.apache.org/jira/browse/OFBIZ-5254?focusedCommentId=13806604
>>>>
>>>> Though it's not a real bug, the reason to ask is because it disturbed much
>>>> people, even seasoned ones
>>>> http://markmail.org/message/zisndi3zwfmdkn2u
>>>>
>>>> Opinions?
>>>>
>>>> Jacques
