This should answer you question and interest you https://issues.apache.org/jira/browse/OFBIZ-5254 (for patient persons only)
Now I will have to investigate why ESAPI in safe mode is throwing warnings. It's certainly related with the codecs (HTMLEntityCodec and PercentCodec) we set (white list strategy), but I still don't understand why then warnings speak about html tags not being safe. I have to digg into codecs... Jacques Pierre Smits wrote: > Hi Ruth, > > Thanks for giving the heads-up regarding the loglevel in the > esapi.properties file. > > Regards, > > Pierre Smits > > *ORRTIZ.COM <http://www.orrtiz.com>* > Services & Solutions for Cloud- > Based Manufacturing, Professional > Services and Retail & Trade > http://www.orrtiz.com > > > On Mon, Oct 21, 2013 at 11:07 PM, Ruth Hoffman <rhoff...@aesolves.com>wrote: > >> Hi Skip: >> For what it is worth, I had the same issue and I couldn't for the life of >> me figure out why I was see these messages. I also would be interested in >> knowing where (and why) this message is being thrown since if you read the >> message content, there doesn't seem to be anything "invalid" about the HTML. >> >> FYI - To get rid of this annoying message, I ended up setting the the >> ESAPI.properties file entry: >> >> LogLevel=ERROR >> >> So at least the error messages were not being displayed. >> >> Hope that helps. >> Ruth Hoffman >> >> That was obvious to me because of a line I left out of error message: >>> >>> ValidationException @ org.owasp.esapi.reference.** >>> DefaultValidator.getValidSaf >>> eHTML(null:-1) >>> >>> However, that puts me no closer to understanding where it is coming from >>> originally. This function is called originally in ModelService .validate >>> and there is a line of code there that sez something like >>> if(errorMessageList.size() > 0) thow ... >>> >>> There are no exceptions in the log and no user has reported one. I am >>> just >>> seeing this on the console screen. >>> >>> So, how do I find out which service is causing this? >>> >>> Skip >>> >>> -----Original Message----- >>> From: Adrian Crum >>> [mailto:adrian.crum@sandglass-**software.com<adrian.c...@sandglass-software.com> >>> ] >>> Sent: Monday, October 21, 2013 11:13 AM >>> To: user@ofbiz.apache.org >>> Subject: Re: html validation errors >>> >>> >>> Most likely that is coming from OWASP/ESAPI. >>> >>> Adrian Crum >>> Sandglass Software >>> www.sandglass-software.com >>> >>> On 10/21/2013 10:49 AM, Skip wrote: >>> >>>> I am getting validation errors on System.err that look like this: >>>> >>>> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector >>>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML >>>> input: >>>> context=content, errors=[The <b>html</b> tag has been filtered for >>>> >>> security >>> >>>> reasons. >>>> The contents of the tag will remain in place., The <b>head</b> tag has >>>> >>> been >>> >>>> filtered for security reasons. The contents of the tag will remain in >>>> place., The <b>meta</b> tag has been filtered for security reasons. The >>>> contents of the tag will remain in place., The <b>title</b> tag has been >>>> filtered for security reasons. The contents of the tag will remain in >>>> place., The <b>style</b> tag has been filtered for security reasons. The >>>> contents of the tag will remain in place., The <b>body</b> tag has been >>>> filtered for security reasons. The contents of the tag >>>> will remain in place., The <b>h1</b> tag has been filtered for >>>> security >>>> reasons. The contents of the tag will remain in place., The <b>h1</b> tag >>>> has been filtered for security reasons. The contents of the tag will >>>> >>> remain >>> >>>> in place.] >>>> >>>> I would like to track down where this is coming from, but there is no >>>> information in the logs. >>>> >>>> Can anyone provide a clue? >>>> >>>> Skip
