svn commit: r1859871 - /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java

Fri, 24 May 2019 06:25:28 -0700 

Author: jleroux
Date: Fri May 24 13:24:31 2019
New Revision: 1859871

URL: http://svn.apache.org/viewvc?rev=1859871&view=rev
Log:
Fixed: OWASP sanitizer breaks proper rendering of HTML code
(OFBIZ-10187)

After a discussion with Dennis, I checked and the pattern ONSITE_URL would be 
useless without 

.allowAttributes("background").matching(ONSITE_URL)
.onElements("table")
.allowAttributes("background").matching(ONSITE_URL)
.onElements("td", "th", "tr")

So here they are

Thanks: Dennis Balkir for discussion

Modified:
    
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java

Modified: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java?rev=1859871&r1=1859870&r2=1859871&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomPermissivePolicy.java
 Fri May 24 13:24:31 2019
@@ -17,7 +17,7 @@ import com.google.common.base.Predicate;
  * has been subject to a few complex XSS attacks. Listings are allowed to
  * contain much more rich content than, say, Slashdot- so it's attack surface 
is
  * considerably larger. The following tags appear to be accepted by eBay (they
- * don't publish rules): {@code <a>},... </blockquote>
+ * don't publish rules): {@code <a>},...
  */
 public class CustomPermissivePolicy implements SanitizerCustomPolicy {
 
@@ -111,11 +111,15 @@ public class CustomPermissivePolicy impl
             .matching(NUMBER).onElements("table")
             .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
             .onElements("table")
+            .allowAttributes("background").matching(ONSITE_URL)
+            .onElements("table")
+            .allowAttributes("background").matching(ONSITE_URL)
+            .onElements("td", "th", "tr")
             .allowAttributes("align").matching(ALIGN)
             .onElements("table")
             
.allowAttributes("noresize").matching(Pattern.compile("(?i)noresize"))
             .onElements("table")
-            .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)
+            .allowAttributes("bgcolor").matching(COLOR_NAME_OR_COLOR_CODE)     
       
             .onElements("td", "th")
             .allowAttributes("abbr").matching(PARAGRAPH)
             .onElements("td", "th")

Reply via email to