This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit fb59acff0dee5ffa71b7248d50b4536706d16360
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Sep 12 10:34:05 2022 +0200
Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
Right now it is not possible to assign inline style to html content.
Trumbowyg Editor uses such tags for align paragraphs.
style="text-align:right"
It is necessary to remove space within the attribute and remove the trailing
semicolon in order to apply with OWASP filter rules.
Create or open content with "Long text". Goto dataresource and edit HTML.
Put in some text and use the align icons (right, center ...) to format the
text.
Save. You will get a security info.
Thanks: Ingo Wolfmayr
---
.../java/org/apache/ofbiz/base/html/CustomSafePolicy.java | 1 +
.../src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
index 0a6cff33d6..6d378b7a5f 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
@@ -46,6 +46,7 @@ public class CustomSafePolicy implements
SanitizerCustomPolicy {
*/
public static final PolicyFactory POLICY_DEFINITION = new
HtmlPolicyBuilder()
.allowStandardUrlProtocols()
+ .allowStyling()
// Allow title="..." on any element.
.allowAttributes("title").globally()
// Allow href="..." on <a> elements.
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index e4ac346fc0..cd505a0e9d 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -32,6 +32,8 @@ import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
@@ -521,7 +523,18 @@ public class UtilCodec {
}
});
+ // Remove space within and semicolons on end of style attributes
whn using allowStyling()
value = htmlOutput.toString();
+ String regex = "(style\\s*=\\s*\\\"([^\\\"]*)\\\")";
+ Pattern p = Pattern.compile(regex);
+ Matcher m = p.matcher(value);
+ StringBuffer out = new StringBuffer();
+ while (m.find()) {
+ String str = m.group().replace(";\"", "\"").replace(" ", "");
+ m.appendReplacement(out, str);
+ }
+ m.appendTail(out);
+ value = out.toString();
String filtered = policy.sanitize(value);
String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
String unescapeEcmaScriptAndHtml4 =
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
