[ofbiz-framework] branch trunk updated: Reverted: "Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)"

Thu, 15 Sep 2022 06:02:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 89e8af90b2 Reverted: "Fixed: Extend HTML Sanitizer - style attribute 
(OFBIZ-12691)"
89e8af90b2 is described below

commit 89e8af90b2688bbaf98d4646613978bd18c897d2
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Sep 15 15:00:27 2022 +0200

    Reverted: "Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)"
    
    This reverts commit 733d0e0a8aeed9faf7ebd26be12178ba6987dd4f.
    
    I'm not sure why when coming from UI HtmlSanitizer.Policy() change quotes
    to HTML entities, but not when coming from test. It seems to come from the
    context as org.owasp.html.HtmlStreamRenderer somehow explains it:
    
    <<Given a series of HTML tokens, writes valid, normalized HTML to the 
output.
    The output will have well-defined tag boundaries, but there may be orphaned 
or
    missing close and open tags. The result of two renderers can always be
    concatenated to produce a larger snippet of HTML, but if the first
    was called with writeOpenTag("plaintext", ...), then any tags in the second 
will
    not be interpreted as tags in the concatenated version.>>
    
    Anyway reverting fixes the test issue.
---
 .../base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java 
b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
index c93c6ad55a..2603bd191e 100644
--- 
a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
+++ 
b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
@@ -101,7 +101,7 @@ public class UtilCodecTests {
         List<String> errorList = new ArrayList<>();
         String canonicalizedXssVector = 
UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,
                 new Locale("test"), true); // labels are not available in 
testClasses Gradle task
-        assertEquals("<script>alert(&#39;XSS vector&#39;);</script>", 
canonicalizedXssVector);
+        assertEquals("<script>alert('XSS vector');</script>", 
canonicalizedXssVector);
         assertEquals(1, errorList.size());
         assertEquals("In field [fieldName] by our input policy, your input has 
not been accepted for security reason. "
                 + "Please check and modify accordingly, thanks.", 
errorList.get(0));

Reply via email to