This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new c005971e4b Improved: Extend HTML Sanitizer - style attribute
(OFBIZ-12691)
c005971e4b is described below
commit c005971e4be56ef7928a6f7d0b7f438e4aa64765
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Sep 15 12:06:18 2022 +0200
Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
This is a no functional changes. It makes things clearer.
I initially wanted to rather do that and forgot. The idea is to no change
the
sanitization done by HtmlSanitizer.Policy(). We just need to be sure that
the
comparison with unescapeEcmaScriptAndHtml4 works.
Maybe later we will figure out that some more HTML entities will need to be
added to "'" and """...
---
.../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index b24d5d9372..015e1a149f 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -524,8 +524,7 @@ public class UtilCodec {
});
// Remove space within and semicolons on end of style attributes
when using allowStyling()
- // Replace quotes to avoid issue with
testCreateCustRequestItemNote and allow saving when using them in fields
- value = htmlOutput.toString().replace("'",
"'").replace(""", "\"");
+ value = htmlOutput.toString();
String regex = "(style\\s*=\\s*\\\"([^\\\"]*)\\\")";
Pattern p = Pattern.compile(regex);
Matcher m = p.matcher(value);
@@ -539,7 +538,9 @@ public class UtilCodec {
String filtered = policy.sanitize(value);
String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
String unescapeEcmaScriptAndHtml4 =
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
- if (filtered != null && !value.equals(unescapeEcmaScriptAndHtml4))
{
+ // Replaces possible quotes entities in value (due to
HtmlSanitizer above) to avoid issue with
+ // testCreateCustRequestItemNote and allow saving when using
quotes in fields
+ if (filtered != null && !value.replace("'",
"'").replace(""", "\"").equals(unescapeEcmaScriptAndHtml4)) {
String issueMsg = null;
if (locale.equals(new Locale("test"))) { // labels are not
available in testClasses Gradle task
issueMsg = "In field [" + valueName + "] by our input
policy, your input has not been accepted "
@@ -552,7 +553,7 @@ public class UtilCodec {
}
}
- return value.replace("'", "'").replace("\"", """); // Quotes
to HTML entity to be safe
+ return value;
}
/**
