[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()

Thu, 12 Feb 2015 06:19:43 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318225#comment-14318225
 ] 

Jacopo Cappellato commented on OFBIZ-5953:
------------------------------------------

I have spent some time digging into the source code of HTMLEntityCodec (ESAPI) 
and specifically the method decodeCharacter is relevant here; see:
https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java

As you can see, and as described by the comment:
{quote}
       * Returns the decoded version of the character starting at index, or
         * null if no decoding is possible.
         * 
         * Formats all are legal both with and without semi-colon, upper/lower 
case:
         *   &#dddd;
         *   &#xhhhh;
         *   &name;
{quote}
the codec recognizes the strings "&op" and "&op;" both as the html entity 
representation of the OR symbol.
I am not sure if this is right or wrong according to the specifications but it 
is definitely too strict for OFBiz because it causes problems like the one 
reported here.
My next step will be that of finding and studying the source file of the old 
version of ESAPI and see if the behavior changed since then; as I mentioned, 
removing the HTMLEntityCodec will fix this issue but I still have to figure out 
the implications of this change.


> Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
> ------------------------------------------------------------------
>
>                 Key: OFBIZ-5953
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5953
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Christian Carlow
>
> From Adrian on ML:
> When I navigate to 
> https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many 
> exceptions are thrown and the screen fails to render.  I tried changing 
> WidgetWorker.java line 74 to localRequestName = 
> UtilCodec.canonicalize(localRequestName, false, false); which fixed the 
> exceptions, but the generated link is wrong.  I don't know how to fix it.
> Errors related to this class are also thrown at 
> accounting/control/invoiceOverview.  Setting a breakpoint at line 167 of 
> UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL 
> from
> EditAcctgTrans?acctgTransId=10070&organizationPartyId=10010 to
> EditAcctgTrans?acctgTransId=10070&organizationPartyId=10010 to
> EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010.
> Not sure if the error is in class UtilCode or HTMLEntityCodec.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to