You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Patrick Antivackis (JIRA)" <ji...@apache.org> on 2009/10/31 21:14:59 UTC
[jira] Created: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
--------------------------------------------------------------------------------------------------
Key: OFBIZ-3135
URL: https://issues.apache.org/jira/browse/OFBIZ-3135
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk
Reporter: Patrick Antivackis
It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
so it will never return ² or ³ because &sup exists, neither &piv
because &pi exists and all other entities where a shorter entity exists.
See bug reports :
http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
Attach is a recompile patched version of the library based on
owasp-esapi-java-src-1.4.zip
and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Antivackis updated OFBIZ-3135:
--------------------------------------
Attachment: owasp-esapi-full-java-1.4.jar
Patch-HTMLEntityCodec.java.diff
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776641#action_12776641 ]
Jacques Le Roux commented on OFBIZ-3135:
----------------------------------------
I'd say last Sun JDK 1.5 as it's still the one recommended for OFBiz (even if I guess most of us use 1.6)
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Antivackis updated OFBIZ-3135:
--------------------------------------
Attachment: owasp-esapi-full-java-1.4.jar
patch-owasp-1.4.diff
I updated the tag 1.4 from owasp-esapi.
I also attached the diff file in order to let you check my backport of the trunk patch.
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, patch-owasp-1.4.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776481#action_12776481 ]
Patrick Antivackis commented on OFBIZ-3135:
-------------------------------------------
Bug has been fix in owasp-esapi tunk. Do you wank i backport it to 1.4 version ?
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-3135.
----------------------------------
Resolution: Fixed
Fix Version/s: SVN trunk
Release Branch 9.04
Assignee: Jacques Le Roux
Thanks Patrick,
I checked the diff you provided against http://code.google.com/p/owasp-esapi-java/source/detail?r=755 and found no differences (except test classes no present of course)
I replaced the jar in trunk at r884781, R9.04 at r884783
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Assignee: Jacques Le Roux
> Fix For: Release Branch 9.04, SVN trunk
>
> Attachments: owasp-esapi-full-java-1.4.jar, patch-owasp-1.4.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776615#action_12776615 ]
Patrick Antivackis commented on OFBIZ-3135:
-------------------------------------------
Yes, patch in the trunk is good (better than mine as I missed one specific case), but i not yet to integrate it to the 1.4 version. Is there any recommendation on the jdk i should use to recreate the jar once I backported the patch to 1.4 ?
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Scott Gray (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776935#action_12776935 ]
Scott Gray commented on OFBIZ-3135:
-----------------------------------
Has the bug been confirmed as fixed? It looks like the issue owner was waiting for a response to confirm it works.
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Antivackis updated OFBIZ-3135:
--------------------------------------
Attachment: (was: Patch-HTMLEntityCodec.java.diff)
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776561#action_12776561 ]
Jacques Le Roux commented on OFBIZ-3135:
----------------------------------------
Hi Patrick,
So I guess you tried and it's ok, yes it would be cool to have it in 1.4 and update OFBiz with, sure!
Thanks
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-3135) In owasp-esapi-java, htmlCodec.decode
is broken for all entities where entity.substr(0, x) exists
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Antivackis updated OFBIZ-3135:
--------------------------------------
Attachment: (was: owasp-esapi-full-java-1.4.jar)
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3135) In owasp-esapi-java,
htmlCodec.decode is broken for all entities where entity.substr(0, x)
exists
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776944#action_12776944 ]
Jacques Le Roux commented on OFBIZ-3135:
----------------------------------------
Yes Patrick,
It would be cool to confirm there too ;)
> In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists
> --------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-3135
> URL: https://issues.apache.org/jira/browse/OFBIZ-3135
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Attachments: owasp-esapi-full-java-1.4.jar, Patch-HTMLEntityCodec.java.diff
>
>
> It's because HTMLEntityCodec.getNamedEntity stop at the first entity found
> so it will never return ² or ³ because &sup exists, neither &piv
> because &pi exists and all other entities where a shorter entity exists.
> See bug reports :
> http://code.google.com/p/owasp-esapi-java/issues/detail?id=45
> Attach is a recompile patched version of the library based on
> owasp-esapi-java-src-1.4.zip
> and a diff of src/org/owasp/esapi/codecs/HTMLEntityCodec.java
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.