[ https://issues.apache.org/jira/browse/OFBIZ-12653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557012#comment-17557012 ]
Jacques Le Roux commented on OFBIZ-12653: ----------------------------------------- We have a harder problem, I found by chance, with single quote. The safe HTML version of single quote is {code}'{code}, so sanitization change (') for it. When I enter*: {noformat} Sub-content 1: ${thisContent.subcontent.sub1} Sub-content 2: ${thisContent.subcontent.sub2} ' {noformat} and look at it in the HTML panel it's not changed. I can swap panels, it's still OK. In HTML panel it's: {code} <div>Sub-content 1: ${thisContent.subcontent.sub1}</div> <div>Sub-content 2: ${thisContent.subcontent.sub2}</div><div>'</div> {code} But it's not accepted/stored because of the sanitization. \* That's a slight change to "CMS Site Demo Page 1" done at https://localhost:8443/content/control/WebSiteCms?webSiteId=CmsSite using demo data in CmsSiteDemoData.xml We can bypass that again using {code:java} value = value.replaceAll("<br>", "<br />"); value = value.replaceAll("'", "'"); String filtered = policy.sanitize(value); String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered); String unescapeEcmaScript = StringEscapeUtils.unescapeEcmaScript(unescapeHtml4); String unescapeEcmaScriptAndHtml4 = unescapeEcmaScript.replaceAll("'", "'"); if (filtered != null && !value.equals(unescapeEcmaScriptAndHtml4)) { {code} But, unlike for <br>, we need a way to store the single quote safe value . I'm working on that... I attach the temporary patch [^OFBIZ-12653.patch] > Sanitizer <br> fail > ------------------- > > Key: OFBIZ-12653 > URL: https://issues.apache.org/jira/browse/OFBIZ-12653 > Project: OFBiz > Issue Type: Improvement > Components: content > Affects Versions: Upcoming Branch > Reporter: Ingo Wolfmayr > Assignee: Jacques Le Roux > Priority: Major > Attachments: OFBIZ-12653.patch > > > I copied a text with multiple lines from a text editor into the Trumbowyg > Html field.The editor creates the Html structure using unclosed <br> elements. > Unfortunately the sanitizer logic just takes <br />. A security warning is > thrown and the content will not be stored. > Issue also a request on Trumbowyg request list: > [https://github.com/Alex-D/Trumbowyg/issues/1283] -- This message was sent by Atlassian Jira (v8.20.7#820007)