This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new a0d829f770 Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
a0d829f770 is described below
commit a0d829f7702fe7247aacf58db519790c2a75f99d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Sep 12 10:34:05 2022 +0200
Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
Right now it is not possible to assign inline style to html content.
Trumbowyg Editor uses such tags for align paragraphs.
style="text-align:right"
It is necessary to remove space within the attribute and remove the trailing
semicolon in order to apply with OWASP filter rules.
Create or open content with "Long text". Goto dataresource and edit HTML.
Put in some text and use the align icons (right, center ...) to format the
text.
Save. You will get a security info.
Thanks: Ingo Wolfmayr
---
.../java/org/apache/ofbiz/base/html/CustomSafePolicy.java | 1 +
.../src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
index 0a6cff33d6..6d378b7a5f 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
@@ -46,6 +46,7 @@ public class CustomSafePolicy implements
SanitizerCustomPolicy {
*/
public static final PolicyFactory POLICY_DEFINITION = new
HtmlPolicyBuilder()
.allowStandardUrlProtocols()
+ .allowStyling()
// Allow title="..." on any element.
.allowAttributes("title").globally()
// Allow href="..." on <a> elements.
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index e4ac346fc0..cd505a0e9d 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -32,6 +32,8 @@ import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
@@ -521,7 +523,18 @@ public class UtilCodec {
}
});
+ // Remove space within and semicolons on end of style attributes
whn using allowStyling()
value = htmlOutput.toString();
+ String regex = "(style\\s*=\\s*\\\"([^\\\"]*)\\\")";
+ Pattern p = Pattern.compile(regex);
+ Matcher m = p.matcher(value);
+ StringBuffer out = new StringBuffer();
+ while (m.find()) {
+ String str = m.group().replace(";\"", "\"").replace(" ", "");
+ m.appendReplacement(out, str);
+ }
+ m.appendTail(out);
+ value = out.toString();
String filtered = policy.sanitize(value);
String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
String unescapeEcmaScriptAndHtml4 =
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
