This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new 71cf2a8b8d Improved: Extend HTML Sanitizer - style attribute
(OFBIZ-12691)
71cf2a8b8d is described below
commit 71cf2a8b8d9a0beea5960442706320561351f1f6
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Sep 15 12:06:18 2022 +0200
Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
This is a no functional changes. It makes things clearer.
I initially wanted to rather do that and forgot. The idea is to no change
the
sanitization done by HtmlSanitizer.Policy(). We just need to be sure that
the
comparison with unescapeEcmaScriptAndHtml4 works.
Maybe later we will figure out that some more HTML entities will need to be
added to "'" and """...
---
.../base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index b24d5d9372..015e1a149f 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -524,8 +524,7 @@ public class UtilCodec {
});
// Remove space within and semicolons on end of style attributes
when using allowStyling()
- // Replace quotes to avoid issue with
testCreateCustRequestItemNote and allow saving when using them in fields
- value = htmlOutput.toString().replace("'",
"'").replace(""", "\"");
+ value = htmlOutput.toString();
String regex = "(style\\s*=\\s*\\\"([^\\\"]*)\\\")";
Pattern p = Pattern.compile(regex);
Matcher m = p.matcher(value);
@@ -539,7 +538,9 @@ public class UtilCodec {
String filtered = policy.sanitize(value);
String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
String unescapeEcmaScriptAndHtml4 =
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
- if (filtered != null && !value.equals(unescapeEcmaScriptAndHtml4))
{
+ // Replaces possible quotes entities in value (due to
HtmlSanitizer above) to avoid issue with
+ // testCreateCustRequestItemNote and allow saving when using
quotes in fields
+ if (filtered != null && !value.replace("'",
"'").replace(""", "\"").equals(unescapeEcmaScriptAndHtml4)) {
String issueMsg = null;
if (locale.equals(new Locale("test"))) { // labels are not
available in testClasses Gradle task
issueMsg = "In field [" + valueName + "] by our input
policy, your input has not been accepted "
@@ -552,7 +553,7 @@ public class UtilCodec {
}
}
- return value.replace("'", "'").replace("\"", """); // Quotes
to HTML entity to be safe
+ return value;
}
/**
