You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/07/01 15:27:09 UTC
[ofbiz-framework] branch trunk updated: Improved: CustomSafePolicy, also use TagBalancingHtmlStreamEventReceiver (OFBIZ-12653)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 78ee6f8792 Improved: CustomSafePolicy, also use TagBalancingHtmlStreamEventReceiver (OFBIZ-12653)
78ee6f8792 is described below
commit 78ee6f8792f8610563931fef2d86e75678b9056c
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Jul 1 17:26:18 2022 +0200
Improved: CustomSafePolicy, also use TagBalancingHtmlStreamEventReceiver (OFBIZ-12653)
Adds <img> and <hr> to CustomSafePolicy, removes obsolete <tt>. <img> allows
only attributes src and alt.
Both <br> and <br /> are correct. For that, this rather uses
TagBalancingHtmlStreamEventReceiver
Thanks: Ingo Wolfmayr
---
.../apache/ofbiz/base/html/CustomSafePolicy.java | 3 +-
.../java/org/apache/ofbiz/base/util/UtilCodec.java | 33 +++++++++++++++++++++-
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
index 5bb2f8f193..0a6cff33d6 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java
@@ -60,7 +60,8 @@ public class CustomSafePolicy implements SanitizerCustomPolicy {
.matching(true, "center", "left", "right", "justify", "char")
.onElements("p")
// These elements are allowed.
- .allowElements("a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul", "ol", "li")
+ .allowElements("a", "p", "div", "i", "b", "em", "blockquote", "hr", "strong", "br", "ul", "ol", "li", "img")
+ .allowAttributes("src", "alt").onElements("img")
.toFactory();
@Override
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 495befd3c5..e4ac346fc0 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -40,9 +40,13 @@ import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.HTMLEntityCodec;
import org.owasp.esapi.codecs.PercentCodec;
import org.owasp.esapi.codecs.XMLEntityCodec;
+import org.owasp.html.Handler;
import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.HtmlSanitizer;
+import org.owasp.html.HtmlStreamRenderer;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;
+import org.owasp.html.TagBalancingHtmlStreamEventReceiver;
@SuppressWarnings("rawtypes")
public class UtilCodec {
@@ -490,7 +494,34 @@ public class UtilCodec {
}
if (value != null) {
- value = value.replaceAll("<br>", "<br />"); // Both are OK, so <br> is accepted, see OFBIZ-12653
+ //Create valid HTML from input with empty sanitizer. Compare the result with the sanitized result.
+ StringBuilder htmlOutput = new StringBuilder();
+ HtmlStreamRenderer renderer = HtmlStreamRenderer.create(htmlOutput, Handler.DO_NOTHING);
+ TagBalancingHtmlStreamEventReceiver balancer = new TagBalancingHtmlStreamEventReceiver(renderer);
+ HtmlSanitizer.sanitize(value, new HtmlSanitizer.Policy() {
+ @Override
+ public void openDocument() {
+ balancer.openDocument();
+ }
+ @Override
+ public void openTag(String tagName, List<String> attrs) {
+ balancer.openTag(tagName, attrs);
+ }
+ @Override
+ public void text(String text) {
+ balancer.text(text);
+ }
+ @Override
+ public void closeTag(String tagName) {
+ balancer.closeTag(tagName);
+ }
+ @Override
+ public void closeDocument() {
+ balancer.closeDocument();
+ }
+ });
+
+ value = htmlOutput.toString();
String filtered = policy.sanitize(value);
String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
String unescapeEcmaScriptAndHtml4 = StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);