[jira] [Commented] (OFBIZ-12653) Sanitizer
fail

Tue, 21 Jun 2022 10:03:06 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557012#comment-17557012
 ] 

Jacques Le Roux commented on OFBIZ-12653:
-----------------------------------------

We have a harder problem, I found by chance, with single quote. The safe HTML 
version of single quote is {code}'{code}, so sanitization change (') for it.

When I enter*:
{noformat}
Sub-content 1: ${thisContent.subcontent.sub1}
Sub-content 2: ${thisContent.subcontent.sub2}
'
{noformat}
and look at it in the HTML panel it's not changed. I can swap panels, it's 
still OK. In HTML panel it's:
{code}
<div>Sub-content 1: ${thisContent.subcontent.sub1}</div> <div>Sub-content 2: 
${thisContent.subcontent.sub2}</div><div>'</div>
{code}
But it's not accepted/stored because of the sanitization.

\*  That's a slight change to "CMS Site Demo Page 1" done at 
https://localhost:8443/content/control/WebSiteCms?webSiteId=CmsSite using demo 
data in CmsSiteDemoData.xml

We can bypass that again using
{code:java}
            value = value.replaceAll("<br>", "<br />");
            value = value.replaceAll("'", "&#39;");
            String filtered = policy.sanitize(value);
            String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
            String unescapeEcmaScript = 
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
            String unescapeEcmaScriptAndHtml4 = 
unescapeEcmaScript.replaceAll("'", "&#39;");
            if (filtered != null && !value.equals(unescapeEcmaScriptAndHtml4)) {
{code}
But, unlike for <br>, we need a way to store the single quote safe value . I'm 
working on that...

I attach the temporary patch  [^OFBIZ-12653.patch] 

> Sanitizer <br> fail
> -------------------
>
>                 Key: OFBIZ-12653
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12653
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: content
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-12653.patch
>
>
> I copied a text with multiple lines from a text editor into the Trumbowyg 
> Html field.The editor creates the Html structure using unclosed <br> elements.
> Unfortunately the sanitizer logic just takes <br />. A security warning is 
> thrown and the content will not be stored.
> Issue also a request on Trumbowyg request list:
> [https://github.com/Alex-D/Trumbowyg/issues/1283]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to