(ofbiz-framework) branch trunk updated: Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)

Fri, 24 May 2024 00:01:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 98febce8c3 Improved: Extend HTML Sanitizer - style attribute 
(OFBIZ-12691)
98febce8c3 is described below

commit 98febce8c3594d0f8bb5e1fc7a6c09dadffd113d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri May 24 09:00:12 2024 +0200

    Improved: Extend HTML Sanitizer - style attribute (OFBIZ-12691)
    
    Like we allowed ' and \ this allows @ to be used in email addresses.
    There is no risk with that. If someone try to add something risky beside 
like
    <img src=x onerror=alert(document.cookie);> it will be rejected anyway
---
 framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index f229653b3f..18c8cd210e 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -540,7 +540,8 @@ public class UtilCodec {
             String unescapeEcmaScriptAndHtml4 = 
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
             // Replaces possible quotes entities in value (due to 
HtmlSanitizer above) to avoid issue with
             // testCreateCustRequestItemNote and allow saving when using 
quotes in fields
-            if (filtered != null && !value.replace("&#39;", 
"'").replace("&#34;", "\"").equals(unescapeEcmaScriptAndHtml4)) {
+            // Maybe later we will figure out that some more HTML entities 
will need to be added to here, see OFBIZ-12691
+            if (filtered != null && !value.replace("&#39;", 
"'").replace("&#34;", "\"").replace("&#64;", 
"@").equals(unescapeEcmaScriptAndHtml4)) {
                 String issueMsg = null;
                 if (locale.equals(new Locale("test"))) { // labels are not 
available in testClasses Gradle task
                     issueMsg = "In field [" + valueName + "] by our input 
policy, your input has not been accepted "

Reply via email to