[ofbiz-framework] branch release22.01 updated: Reverted: "Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)"

Thu, 15 Sep 2022 06:02:54 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new fb52f24e3f Reverted: "Fixed: Extend HTML Sanitizer - style attribute 
(OFBIZ-12691)"
fb52f24e3f is described below

commit fb52f24e3fea7e270085e0c5267557cb2a254894
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Sep 15 15:01:37 2022 +0200

    Reverted: "Fixed: Extend HTML Sanitizer - style attribute (OFBIZ-12691)"
    
    This reverts commit 02387ffea720dd5f45b2abb34dc61e0f39868d97.
    
    I'm not sure why when coming from UI HtmlSanitizer.Policy() change quotes
    to HTML entities, but not when coming from test. It seems to come from the
    context as org.owasp.html.HtmlStreamRenderer somehow explains it:
    
    <<Given a series of HTML tokens, writes valid, normalized HTML to the 
output.
    The output will have well-defined tag boundaries, but there may be orphaned 
or
    missing close and open tags. The result of two renderers can always be
    concatenated to produce a larger snippet of HTML, but if the first
    was called with writeOpenTag("plaintext", ...), then any tags in the second 
will
    not be interpreted as tags in the concatenated version.>>
    
    Anyway reverting fixes the test issue.
---
 .../base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java 
b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
index c93c6ad55a..2603bd191e 100644
--- 
a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
+++ 
b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilCodecTests.java
@@ -101,7 +101,7 @@ public class UtilCodecTests {
         List<String> errorList = new ArrayList<>();
         String canonicalizedXssVector = 
UtilCodec.checkStringForHtmlSafe("fieldName", xssVector, errorList,
                 new Locale("test"), true); // labels are not available in 
testClasses Gradle task
-        assertEquals("<script>alert(&#39;XSS vector&#39;);</script>", 
canonicalizedXssVector);
+        assertEquals("<script>alert('XSS vector');</script>", 
canonicalizedXssVector);
         assertEquals(1, errorList.size());
         assertEquals("In field [fieldName] by our input policy, your input has 
not been accepted for security reason. "
                 + "Please check and modify accordingly, thanks.", 
errorList.get(0));

Reply via email to