You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/04/04 06:50:56 UTC

[ofbiz-framework] 01/02: Improved: just a tiny comment change in security.properties

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 5d4dcd2ed490eb61f8a95bef5fe62140f5af08cb
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Apr 2 16:24:17 2022 +0200

    Improved: just a tiny comment change in security.properties
    
    Make clear that it's impossible to create a complete deniedWebShellTokens
---
 framework/security/config/security.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index f106f9b21f..03c6804e89 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -249,7 +249,7 @@ allowAllUploads=
 #-- TODO.... to be continued with known webshell contents... a complete allow list is impossible anyway...
 #--
 #-- It could notably be improved by checking for all Javascripts payloads.
-#-- As listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet,
+#-- But as listed at https://portswigger.net/web-security/cross-site-scripting/cheat-sheet,
 #-- at 2022-02-25 there are 8929 of them considering all tags, all events and all browsers...!
 #--
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not part of the syntax.