[ofbiz-framework] branch release18.12 updated: Fixed: Adding tel protocol in CustomPermissivePolicy is not working (OFBIZ-12258)

Tue, 22 Jun 2021 03:04:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

mbrohl pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1f0797d  Fixed: Adding tel protocol in CustomPermissivePolicy is not 
working (OFBIZ-12258)
1f0797d is described below

commit 1f0797d5f32c8c040963a0b96196aaebaf9152ae
Author: Wiebke Pätzold <wiebke.paetz...@ecomify.de>
AuthorDate: Mon Jun 14 12:16:10 2021 +0200

    Fixed: Adding tel protocol in CustomPermissivePolicy is not working
    (OFBIZ-12258)
    
    With these changes, the default sanitizers rules are only loaded if
    there is no CustomPermissivePolicy
---
 .../main/java/org/apache/ofbiz/base/util/UtilCodec.java | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 1433977..40e033a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -128,12 +128,11 @@ public class UtilCodec {
                 return null;
             }
             if (UtilProperties.getPropertyAsBoolean("owasp", 
"sanitizer.enable", true)) {
-                PolicyFactory sanitizer = 
Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(
-                        Sanitizers.LINKS).and(Sanitizers.STYLES);
+                PolicyFactory sanitizer = null;
                 // TODO to be improved to use a (or several) contentTypeId/s 
when necessary.
                 // Below is an example with BIRT_FLEXIBLE_REPORT_POLICY
                 if ("FLEXIBLE_REPORT".equals(contentTypeId)) {
-                    sanitizer = sanitizer.and(BIRT_FLEXIBLE_REPORT_POLICY);
+                    sanitizer = BIRT_FLEXIBLE_REPORT_POLICY;
                 }
 
                 // Check if custom policy should be used and if so don't use 
PERMISSIVE_POLICY
@@ -155,9 +154,21 @@ public class UtilCodec {
                     }
 
                     if (policy != null) {
+                        if (UtilValidate.isNotEmpty(sanitizer)) {
                         sanitizer = sanitizer.and(policy);
+                        } else {
+                            sanitizer = policy;
+                        }
                         return sanitizer.sanitize(original);
                     }
+                } else {
+                    if (UtilValidate.isNotEmpty(sanitizer)) {
+                        sanitizer = 
sanitizer.and(Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(
+                                Sanitizers.LINKS).and(Sanitizers.STYLES));
+                    } else {
+                        sanitizer = 
Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(
+                            Sanitizers.LINKS).and(Sanitizers.STYLES);
+                    }
                 }
 
                 // Fallback should be the default option PERMISSIVE_POLICY

Reply via email to