You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Deepak Dixit <de...@hotwaxsystems.com> on 2015/10/13 13:50:49 UTC
Re: svn commit: r1708275 - in /ofbiz/branches/release14.12: ./
applications/content/config/ applications/content/src/org/ofbiz/content/content/
framework/base/lib/ specialpurpose/cmssite/data/
Hi Jacques,
I am getting following exception on 14.12:
{code}
java.lang.NoClassDefFoundError: Could not initialize class
org.owasp.html.Sanitizers
[java] at
org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354)
~[ofbiz-content.jar:?]
[java] at
org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343)
~[ofbiz-content.jar:?]
[java] at
org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355)
~[ofbiz-content.jar:?]
[java] at
freemarker.ext.beans.StringModel.getAsString(StringModel.java:61)
~[freemarker-2.3.22.jar:2.3.22]
[java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55)
~[freemarker-2.3.22.jar:2.3.22]
[java] at
freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340)
~[freemarker-2.3.22.jar:2.3.22]
{code}
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
On Tue, Oct 13, 2015 at 6:15 AM, <jl...@apache.org> wrote:
> Author: jleroux
> Date: Tue Oct 13 00:45:31 2015
> New Revision: 1708275
>
> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
> Log:
> "Applied fix from trunk for revision: 1708274 " (handled conflicts on
> .classpath by hand)
> ------------------------------------------------------------------------
> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1
> ligne
>
> Fix for ContentWorker at OFBIZ-6669. For that I have added
> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true"
> property in content.properties with some explanations. The reason I put
> this property is because the sanitizer does some (safe) changes which might
> be unwanted in a context where you are "sure" no one can inject/exploit
> your DB, see the JIra issue for details. Note that this does not affect the
> *ContentWrapper.java classes where we use OWASP encoding and not sanitizer.
> The reason we need the sanitizer here is because we are no only handling
> content but also HTML code...
> ------------------------------------------------------------------------
>
>
> Added:
>
> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
> - copied unchanged from r1708274,
> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
> Modified:
> ofbiz/branches/release14.12/ (props changed)
> ofbiz/branches/release14.12/.classpath
> ofbiz/branches/release14.12/LICENSE
>
> ofbiz/branches/release14.12/applications/content/config/content.properties
>
> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>
> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>
> Propchange: ofbiz/branches/release14.12/
>
> ------------------------------------------------------------------------------
> --- svn:mergeinfo (original)
> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015
> @@ -8,4 +8,4 @@
> /ofbiz/branches/json-integration-refactoring:1634077-1635900
> /ofbiz/branches/multitenant20100310:921280-927264
> /ofbiz/branches/release13.07:1547657
>
> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>
> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
> 77,1706591,1706694,1707837,1707857
>
> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>
> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
> 77,1706591,1706694,1707837,1707857,1708274
>
> Modified: ofbiz/branches/release14.12/.classpath
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff
>
> ==============================================================================
> --- ofbiz/branches/release14.12/.classpath (original)
> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
> @@ -41,6 +41,7 @@
> <classpathentry kind="lib"
> path="framework/base/lib/log4j-api-2.3.jar"/>
> <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/>
> <classpathentry kind="lib"
> path="framework/base/lib/nekohtml-1.9.16.jar"/>
> + <classpathentry kind="lib"
> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
> <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/>
> <classpathentry kind="lib"
> path="framework/base/lib/resolver-2.9.1.jar"/>
> <classpathentry kind="lib"
> path="framework/base/lib/serializer-2.9.1.jar"/>
>
> Modified: ofbiz/branches/release14.12/LICENSE
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff
>
> ==============================================================================
> --- ofbiz/branches/release14.12/LICENSE (original)
> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
> framework/base/lib/j2eespecs/el-api-2.2.jar
> framework/base/lib/j2eespecs/jsp-api-2.2.jar
> framework/base/lib/j2eespecs/servlet-api-3.0.jar
> +framework/base/lib/owasp-java-html-sanitizer-r239.jar
> framework/base/lib/scripting/bsf-2.4.0.jar
> framework/base/lib/scripting/jakarta-oro-2.0.8.jar
> framework/base/lib/scripting/groovy-all-2.2.1.jar
>
> Modified:
> ofbiz/branches/release14.12/applications/content/config/content.properties
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff
>
> ==============================================================================
> ---
> ofbiz/branches/release14.12/applications/content/config/content.properties
> (original)
> +++
> ofbiz/branches/release14.12/applications/content/config/content.properties
> Tue Oct 13 00:45:31 2015
> @@ -35,3 +35,7 @@ content.upload.always.local.file=true
>
> # content output folder (relative to ofbiz.home)
> content.output.path=runtime/output
> +
> +#Should we sanitize generic content by default (specific contents -
> order, party, category, product, configured product, product promo and work
> effort - are always encoded)
> +# This has a slightly impact on the code rendered, see . True By default!
> +content.sanitize=true
>
> Modified:
> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff
>
> ==============================================================================
> ---
> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
> (original)
> +++
> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
> Tue Oct 13 00:45:31 2015
> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
> import org.ofbiz.entity.condition.EntityOperator;
> import org.ofbiz.entity.util.EntityQuery;
> import org.ofbiz.entity.util.EntityUtil;
> +import org.ofbiz.entity.util.EntityUtilProperties;
> import org.ofbiz.minilang.MiniLangException;
> import org.ofbiz.minilang.SimpleMapProcessor;
> import org.ofbiz.service.DispatchContext;
> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
> import org.ofbiz.service.LocalDispatcher;
> import org.ofbiz.service.ModelService;
> import org.ofbiz.service.ServiceUtil;
> +import org.owasp.html.PolicyFactory;
> +import org.owasp.html.Sanitizers;
> import org.xml.sax.InputSource;
> import org.xml.sax.SAXException;
>
> @@ -335,7 +338,23 @@ public class ContentWorker implements or
> Locale locale, String mimeTypeId, boolean cache) throws
> GeneralException, IOException {
> Writer writer = new StringWriter();
> renderContentAsText(dispatcher, delegator, contentId, writer,
> templateContext, locale, mimeTypeId, null, null, cache);
> - return writer.toString();
> + String rendered = writer.toString();
> + // According to
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
> + // Normally head should be protected by X-XSS-Protection Response
> Header by default
> + if
> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties",
> "content.sanitize", "true", delegator)
> + && (rendered.contains("<script>")
> + || rendered.contains("<!--")
> + || rendered.contains("<div")
> + || rendered.contains("<style>")
> + || rendered.contains("<span")
> + || rendered.contains("<input")
> + || rendered.contains("<input")
> + || rendered.contains("<iframe")
> + || rendered.contains("<a"))) {
> + PolicyFactory sanitizer =
> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
> + rendered = sanitizer.sanitize(rendered);
> + }
> + return rendered;
> }
>
> public static String renderContentAsText(LocalDispatcher dispatcher,
> Delegator delegator, String contentId, Appendable out,
>
> Modified:
> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff
>
> ==============================================================================
> ---
> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
> (original)
> +++
> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
> Tue Oct 13 00:45:31 2015
> @@ -78,7 +78,7 @@ under the License.
> <p>
> This is a site to demonstrate the CMS capabilities of
> OFBiz. Its basic function is the editing of website text
> inside a browser. If you want to edit the text you are
> reading now, logon to the backend system, select the content component
> - click on 'cmssite' in the website list and ten click on the
> 'cms' button. There you see on the left hand side the tree of this website.
> + click on 'cmssite' in the website list and then click on
> the 'cms' button. There you see on the left hand side the tree of this
> website.
> If you click on 'homepage' then you can edit the content of
> this page at the box in the r
> </p>
> <p>
>
>
>
Re: svn commit: r1708275 - in /ofbiz/branches/release14.12: ./
applications/content/config/ applications/content/src/org/ofbiz/content/content/
framework/base/lib/ specialpurpose/cmssite/data/
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Thanks Jacques.
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
On Tue, Oct 13, 2015 at 10:58 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> It's fixed at revision: 1708471
>
> Jacques
>
>
> Le 13/10/2015 17:36, Jacques Le Roux a écrit :
>
>> Hi Deepak
>>
>> Indeed something is not working in R14.12, I don't see any missing
>> dependencies (it compiles w/o issues), I'll have a look, thanks!
>>
>>
>> Jacques
>>
>> Le 13/10/2015 13:50, Deepak Dixit a écrit :
>>
>>> Hi Jacques,
>>>
>>> I am getting following exception on 14.12:
>>>
>>> {code}
>>> java.lang.NoClassDefFoundError: Could not initialize class
>>> org.owasp.html.Sanitizers
>>> [java] at
>>>
>>> org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354)
>>> ~[ofbiz-content.jar:?]
>>> [java] at
>>>
>>> org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343)
>>> ~[ofbiz-content.jar:?]
>>> [java] at
>>>
>>> org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355)
>>> ~[ofbiz-content.jar:?]
>>> [java] at
>>> freemarker.ext.beans.StringModel.getAsString(StringModel.java:61)
>>> ~[freemarker-2.3.22.jar:2.3.22]
>>> [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55)
>>> ~[freemarker-2.3.22.jar:2.3.22]
>>> [java] at
>>> freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340)
>>> ~[freemarker-2.3.22.jar:2.3.22]
>>>
>>> {code}
>>>
>>> Thanks & Regards
>>> --
>>> Deepak Dixit
>>> www.hotwaxsystems.com
>>>
>>> On Tue, Oct 13, 2015 at 6:15 AM, <jl...@apache.org> wrote:
>>>
>>> Author: jleroux
>>>> Date: Tue Oct 13 00:45:31 2015
>>>> New Revision: 1708275
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
>>>> Log:
>>>> "Applied fix from trunk for revision: 1708274 " (handled conflicts on
>>>> .classpath by hand)
>>>> ------------------------------------------------------------------------
>>>> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1
>>>> ligne
>>>>
>>>> Fix for ContentWorker at OFBIZ-6669. For that I have added
>>>> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true"
>>>> property in content.properties with some explanations. The reason I put
>>>> this property is because the sanitizer does some (safe) changes which
>>>> might
>>>> be unwanted in a context where you are "sure" no one can inject/exploit
>>>> your DB, see the JIra issue for details. Note that this does not affect
>>>> the
>>>> *ContentWrapper.java classes where we use OWASP encoding and not
>>>> sanitizer.
>>>> The reason we need the sanitizer here is because we are no only handling
>>>> content but also HTML code...
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> Added:
>>>>
>>>>
>>>> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>>> - copied unchanged from r1708274,
>>>> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>>> Modified:
>>>> ofbiz/branches/release14.12/ (props changed)
>>>> ofbiz/branches/release14.12/.classpath
>>>> ofbiz/branches/release14.12/LICENSE
>>>>
>>>>
>>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>>>
>>>>
>>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>>>
>>>>
>>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>>>
>>>> Propchange: ofbiz/branches/release14.12/
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> --- svn:mergeinfo (original)
>>>> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015
>>>> @@ -8,4 +8,4 @@
>>>> /ofbiz/branches/json-integration-refactoring:1634077-1635900
>>>> /ofbiz/branches/multitenant20100310:921280-927264
>>>> /ofbiz/branches/release13.07:1547657
>>>>
>>>> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>>>
>>>>
>>>>
>>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>>>> 77,1706591,1706694,1707837,1707857
>>>>
>>>> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>>>
>>>>
>>>>
>>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>>>> 77,1706591,1706694,1707837,1707857,1708274
>>>>
>>>> Modified: ofbiz/branches/release14.12/.classpath
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>> --- ofbiz/branches/release14.12/.classpath (original)
>>>> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
>>>> @@ -41,6 +41,7 @@
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/log4j-api-2.3.jar"/>
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/mail-1.5.1.jar"/>
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/nekohtml-1.9.16.jar"/>
>>>> + <classpathentry kind="lib"
>>>> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/esapi-2.1.0.jar"/>
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/resolver-2.9.1.jar"/>
>>>> <classpathentry kind="lib"
>>>> path="framework/base/lib/serializer-2.9.1.jar"/>
>>>>
>>>> Modified: ofbiz/branches/release14.12/LICENSE
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>> --- ofbiz/branches/release14.12/LICENSE (original)
>>>> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
>>>> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
>>>> framework/base/lib/j2eespecs/el-api-2.2.jar
>>>> framework/base/lib/j2eespecs/jsp-api-2.2.jar
>>>> framework/base/lib/j2eespecs/servlet-api-3.0.jar
>>>> +framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>>> framework/base/lib/scripting/bsf-2.4.0.jar
>>>> framework/base/lib/scripting/jakarta-oro-2.0.8.jar
>>>> framework/base/lib/scripting/groovy-all-2.2.1.jar
>>>>
>>>> Modified:
>>>>
>>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>> ---
>>>>
>>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>>> (original)
>>>> +++
>>>>
>>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>>> Tue Oct 13 00:45:31 2015
>>>> @@ -35,3 +35,7 @@ content.upload.always.local.file=true
>>>>
>>>> # content output folder (relative to ofbiz.home)
>>>> content.output.path=runtime/output
>>>> +
>>>> +#Should we sanitize generic content by default (specific contents -
>>>> order, party, category, product, configured product, product promo and
>>>> work
>>>> effort - are always encoded)
>>>> +# This has a slightly impact on the code rendered, see . True By
>>>> default!
>>>> +content.sanitize=true
>>>>
>>>> Modified:
>>>>
>>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>> ---
>>>>
>>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>>> (original)
>>>> +++
>>>>
>>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>>> Tue Oct 13 00:45:31 2015
>>>> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
>>>> import org.ofbiz.entity.condition.EntityOperator;
>>>> import org.ofbiz.entity.util.EntityQuery;
>>>> import org.ofbiz.entity.util.EntityUtil;
>>>> +import org.ofbiz.entity.util.EntityUtilProperties;
>>>> import org.ofbiz.minilang.MiniLangException;
>>>> import org.ofbiz.minilang.SimpleMapProcessor;
>>>> import org.ofbiz.service.DispatchContext;
>>>> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
>>>> import org.ofbiz.service.LocalDispatcher;
>>>> import org.ofbiz.service.ModelService;
>>>> import org.ofbiz.service.ServiceUtil;
>>>> +import org.owasp.html.PolicyFactory;
>>>> +import org.owasp.html.Sanitizers;
>>>> import org.xml.sax.InputSource;
>>>> import org.xml.sax.SAXException;
>>>>
>>>> @@ -335,7 +338,23 @@ public class ContentWorker implements or
>>>> Locale locale, String mimeTypeId, boolean cache) throws
>>>> GeneralException, IOException {
>>>> Writer writer = new StringWriter();
>>>> renderContentAsText(dispatcher, delegator, contentId, writer,
>>>> templateContext, locale, mimeTypeId, null, null, cache);
>>>> - return writer.toString();
>>>> + String rendered = writer.toString();
>>>> + // According to
>>>>
>>>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
>>>> + // Normally head should be protected by X-XSS-Protection
>>>> Response
>>>> Header by default
>>>> + if
>>>>
>>>> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties",
>>>> "content.sanitize", "true", delegator)
>>>> + && (rendered.contains("<script>")
>>>> + || rendered.contains("<!--")
>>>> + || rendered.contains("<div")
>>>> + || rendered.contains("<style>")
>>>> + || rendered.contains("<span")
>>>> + || rendered.contains("<input")
>>>> + || rendered.contains("<input")
>>>> + || rendered.contains("<iframe")
>>>> + || rendered.contains("<a"))) {
>>>> + PolicyFactory sanitizer =
>>>>
>>>> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
>>>> + rendered = sanitizer.sanitize(rendered);
>>>> + }
>>>> + return rendered;
>>>> }
>>>>
>>>> public static String renderContentAsText(LocalDispatcher
>>>> dispatcher,
>>>> Delegator delegator, String contentId, Appendable out,
>>>>
>>>> Modified:
>>>>
>>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>> ---
>>>>
>>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>>> (original)
>>>> +++
>>>>
>>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>>> Tue Oct 13 00:45:31 2015
>>>> @@ -78,7 +78,7 @@ under the License.
>>>> <p>
>>>> This is a site to demonstrate the CMS capabilities of
>>>> OFBiz. Its basic function is the editing of website text
>>>> inside a browser. If you want to edit the text you are
>>>> reading now, logon to the backend system, select the content component
>>>> - click on 'cmssite' in the website list and ten click on
>>>> the
>>>> 'cms' button. There you see on the left hand side the tree of this
>>>> website.
>>>> + click on 'cmssite' in the website list and then click on
>>>> the 'cms' button. There you see on the left hand side the tree of this
>>>> website.
>>>> If you click on 'homepage' then you can edit the
>>>> content of
>>>> this page at the box in the r
>>>> </p>
>>>> <p>
>>>>
>>>>
>>>>
>>>>
>>
>>
>
Re: svn commit: r1708275 - in /ofbiz/branches/release14.12: ./
applications/content/config/
applications/content/src/org/ofbiz/content/content/ framework/base/lib/
specialpurpose/cmssite/data/
Posted by Jacques Le Roux <ja...@les7arts.com>.
It's fixed at revision: 1708471
Jacques
Le 13/10/2015 17:36, Jacques Le Roux a écrit :
> Hi Deepak
>
> Indeed something is not working in R14.12, I don't see any missing dependencies (it compiles w/o issues), I'll have a look, thanks!
>
> Jacques
>
> Le 13/10/2015 13:50, Deepak Dixit a écrit :
>> Hi Jacques,
>>
>> I am getting following exception on 14.12:
>>
>> {code}
>> java.lang.NoClassDefFoundError: Could not initialize class
>> org.owasp.html.Sanitizers
>> [java] at
>> org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354)
>> ~[ofbiz-content.jar:?]
>> [java] at
>> org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343)
>> ~[ofbiz-content.jar:?]
>> [java] at
>> org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355)
>> ~[ofbiz-content.jar:?]
>> [java] at
>> freemarker.ext.beans.StringModel.getAsString(StringModel.java:61)
>> ~[freemarker-2.3.22.jar:2.3.22]
>> [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55)
>> ~[freemarker-2.3.22.jar:2.3.22]
>> [java] at
>> freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340)
>> ~[freemarker-2.3.22.jar:2.3.22]
>>
>> {code}
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwaxsystems.com
>>
>> On Tue, Oct 13, 2015 at 6:15 AM, <jl...@apache.org> wrote:
>>
>>> Author: jleroux
>>> Date: Tue Oct 13 00:45:31 2015
>>> New Revision: 1708275
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
>>> Log:
>>> "Applied fix from trunk for revision: 1708274 " (handled conflicts on
>>> .classpath by hand)
>>> ------------------------------------------------------------------------
>>> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1
>>> ligne
>>>
>>> Fix for ContentWorker at OFBIZ-6669. For that I have added
>>> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true"
>>> property in content.properties with some explanations. The reason I put
>>> this property is because the sanitizer does some (safe) changes which might
>>> be unwanted in a context where you are "sure" no one can inject/exploit
>>> your DB, see the JIra issue for details. Note that this does not affect the
>>> *ContentWrapper.java classes where we use OWASP encoding and not sanitizer.
>>> The reason we need the sanitizer here is because we are no only handling
>>> content but also HTML code...
>>> ------------------------------------------------------------------------
>>>
>>>
>>> Added:
>>>
>>> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>> - copied unchanged from r1708274,
>>> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>> Modified:
>>> ofbiz/branches/release14.12/ (props changed)
>>> ofbiz/branches/release14.12/.classpath
>>> ofbiz/branches/release14.12/LICENSE
>>>
>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>>
>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>>
>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>>
>>> Propchange: ofbiz/branches/release14.12/
>>>
>>> ------------------------------------------------------------------------------
>>> --- svn:mergeinfo (original)
>>> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015
>>> @@ -8,4 +8,4 @@
>>> /ofbiz/branches/json-integration-refactoring:1634077-1635900
>>> /ofbiz/branches/multitenant20100310:921280-927264
>>> /ofbiz/branches/release13.07:1547657
>>>
>>> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>>
>>>
>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>>> 77,1706591,1706694,1707837,1707857
>>>
>>> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>>
>>>
>>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>>> 77,1706591,1706694,1707837,1707857,1708274
>>>
>>> Modified: ofbiz/branches/release14.12/.classpath
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>
>>> ==============================================================================
>>> --- ofbiz/branches/release14.12/.classpath (original)
>>> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
>>> @@ -41,6 +41,7 @@
>>> <classpathentry kind="lib"
>>> path="framework/base/lib/log4j-api-2.3.jar"/>
>>> <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/>
>>> <classpathentry kind="lib"
>>> path="framework/base/lib/nekohtml-1.9.16.jar"/>
>>> + <classpathentry kind="lib"
>>> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
>>> <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/>
>>> <classpathentry kind="lib"
>>> path="framework/base/lib/resolver-2.9.1.jar"/>
>>> <classpathentry kind="lib"
>>> path="framework/base/lib/serializer-2.9.1.jar"/>
>>>
>>> Modified: ofbiz/branches/release14.12/LICENSE
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>
>>> ==============================================================================
>>> --- ofbiz/branches/release14.12/LICENSE (original)
>>> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
>>> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
>>> framework/base/lib/j2eespecs/el-api-2.2.jar
>>> framework/base/lib/j2eespecs/jsp-api-2.2.jar
>>> framework/base/lib/j2eespecs/servlet-api-3.0.jar
>>> +framework/base/lib/owasp-java-html-sanitizer-r239.jar
>>> framework/base/lib/scripting/bsf-2.4.0.jar
>>> framework/base/lib/scripting/jakarta-oro-2.0.8.jar
>>> framework/base/lib/scripting/groovy-all-2.2.1.jar
>>>
>>> Modified:
>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>> (original)
>>> +++
>>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>> Tue Oct 13 00:45:31 2015
>>> @@ -35,3 +35,7 @@ content.upload.always.local.file=true
>>>
>>> # content output folder (relative to ofbiz.home)
>>> content.output.path=runtime/output
>>> +
>>> +#Should we sanitize generic content by default (specific contents -
>>> order, party, category, product, configured product, product promo and work
>>> effort - are always encoded)
>>> +# This has a slightly impact on the code rendered, see . True By default!
>>> +content.sanitize=true
>>>
>>> Modified:
>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>
>>>
>>> ==============================================================================
>>> ---
>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>> (original)
>>> +++
>>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>> Tue Oct 13 00:45:31 2015
>>> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
>>> import org.ofbiz.entity.condition.EntityOperator;
>>> import org.ofbiz.entity.util.EntityQuery;
>>> import org.ofbiz.entity.util.EntityUtil;
>>> +import org.ofbiz.entity.util.EntityUtilProperties;
>>> import org.ofbiz.minilang.MiniLangException;
>>> import org.ofbiz.minilang.SimpleMapProcessor;
>>> import org.ofbiz.service.DispatchContext;
>>> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
>>> import org.ofbiz.service.LocalDispatcher;
>>> import org.ofbiz.service.ModelService;
>>> import org.ofbiz.service.ServiceUtil;
>>> +import org.owasp.html.PolicyFactory;
>>> +import org.owasp.html.Sanitizers;
>>> import org.xml.sax.InputSource;
>>> import org.xml.sax.SAXException;
>>>
>>> @@ -335,7 +338,23 @@ public class ContentWorker implements or
>>> Locale locale, String mimeTypeId, boolean cache) throws
>>> GeneralException, IOException {
>>> Writer writer = new StringWriter();
>>> renderContentAsText(dispatcher, delegator, contentId, writer,
>>> templateContext, locale, mimeTypeId, null, null, cache);
>>> - return writer.toString();
>>> + String rendered = writer.toString();
>>> + // According to
>>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
>>> + // Normally head should be protected by X-XSS-Protection Response
>>> Header by default
>>> + if
>>> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties",
>>> "content.sanitize", "true", delegator)
>>> + && (rendered.contains("<script>")
>>> + || rendered.contains("<!--")
>>> + || rendered.contains("<div")
>>> + || rendered.contains("<style>")
>>> + || rendered.contains("<span")
>>> + || rendered.contains("<input")
>>> + || rendered.contains("<input")
>>> + || rendered.contains("<iframe")
>>> + || rendered.contains("<a"))) {
>>> + PolicyFactory sanitizer =
>>> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
>>> + rendered = sanitizer.sanitize(rendered);
>>> + }
>>> + return rendered;
>>> }
>>>
>>> public static String renderContentAsText(LocalDispatcher dispatcher,
>>> Delegator delegator, String contentId, Appendable out,
>>>
>>> Modified:
>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>> (original)
>>> +++
>>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>> Tue Oct 13 00:45:31 2015
>>> @@ -78,7 +78,7 @@ under the License.
>>> <p>
>>> This is a site to demonstrate the CMS capabilities of
>>> OFBiz. Its basic function is the editing of website text
>>> inside a browser. If you want to edit the text you are
>>> reading now, logon to the backend system, select the content component
>>> - click on 'cmssite' in the website list and ten click on the
>>> 'cms' button. There you see on the left hand side the tree of this website.
>>> + click on 'cmssite' in the website list and then click on
>>> the 'cms' button. There you see on the left hand side the tree of this
>>> website.
>>> If you click on 'homepage' then you can edit the content of
>>> this page at the box in the r
>>> </p>
>>> <p>
>>>
>>>
>>>
>
>
Re: svn commit: r1708275 - in /ofbiz/branches/release14.12: ./
applications/content/config/
applications/content/src/org/ofbiz/content/content/ framework/base/lib/
specialpurpose/cmssite/data/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Deepak
Indeed something is not working in R14.12, I don't see any missing dependencies (it compiles w/o issues), I'll have a nook, thanks!
Jacques
Le 13/10/2015 13:50, Deepak Dixit a écrit :
> Hi Jacques,
>
> I am getting following exception on 14.12:
>
> {code}
> java.lang.NoClassDefFoundError: Could not initialize class
> org.owasp.html.Sanitizers
> [java] at
> org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354)
> ~[ofbiz-content.jar:?]
> [java] at
> org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343)
> ~[ofbiz-content.jar:?]
> [java] at
> org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355)
> ~[ofbiz-content.jar:?]
> [java] at
> freemarker.ext.beans.StringModel.getAsString(StringModel.java:61)
> ~[freemarker-2.3.22.jar:2.3.22]
> [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55)
> ~[freemarker-2.3.22.jar:2.3.22]
> [java] at
> freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340)
> ~[freemarker-2.3.22.jar:2.3.22]
>
> {code}
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
>
> On Tue, Oct 13, 2015 at 6:15 AM, <jl...@apache.org> wrote:
>
>> Author: jleroux
>> Date: Tue Oct 13 00:45:31 2015
>> New Revision: 1708275
>>
>> URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
>> Log:
>> "Applied fix from trunk for revision: 1708274 " (handled conflicts on
>> .classpath by hand)
>> ------------------------------------------------------------------------
>> r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1
>> ligne
>>
>> Fix for ContentWorker at OFBIZ-6669. For that I have added
>> owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true"
>> property in content.properties with some explanations. The reason I put
>> this property is because the sanitizer does some (safe) changes which might
>> be unwanted in a context where you are "sure" no one can inject/exploit
>> your DB, see the JIra issue for details. Note that this does not affect the
>> *ContentWrapper.java classes where we use OWASP encoding and not sanitizer.
>> The reason we need the sanitizer here is because we are no only handling
>> content but also HTML code...
>> ------------------------------------------------------------------------
>>
>>
>> Added:
>>
>> ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>> - copied unchanged from r1708274,
>> ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
>> Modified:
>> ofbiz/branches/release14.12/ (props changed)
>> ofbiz/branches/release14.12/.classpath
>> ofbiz/branches/release14.12/LICENSE
>>
>> ofbiz/branches/release14.12/applications/content/config/content.properties
>>
>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>>
>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>>
>> Propchange: ofbiz/branches/release14.12/
>>
>> ------------------------------------------------------------------------------
>> --- svn:mergeinfo (original)
>> +++ svn:mergeinfo Tue Oct 13 00:45:31 2015
>> @@ -8,4 +8,4 @@
>> /ofbiz/branches/json-integration-refactoring:1634077-1635900
>> /ofbiz/branches/multitenant20100310:921280-927264
>> /ofbiz/branches/release13.07:1547657
>>
>> -/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>
>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>> 77,1706591,1706694,1707837,1707857
>>
>> +/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,
>>
>> 1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
>> 77,1706591,1706694,1707837,1707857,1708274
>>
>> Modified: ofbiz/branches/release14.12/.classpath
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff
>>
>> ==============================================================================
>> --- ofbiz/branches/release14.12/.classpath (original)
>> +++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
>> @@ -41,6 +41,7 @@
>> <classpathentry kind="lib"
>> path="framework/base/lib/log4j-api-2.3.jar"/>
>> <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/>
>> <classpathentry kind="lib"
>> path="framework/base/lib/nekohtml-1.9.16.jar"/>
>> + <classpathentry kind="lib"
>> path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
>> <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/>
>> <classpathentry kind="lib"
>> path="framework/base/lib/resolver-2.9.1.jar"/>
>> <classpathentry kind="lib"
>> path="framework/base/lib/serializer-2.9.1.jar"/>
>>
>> Modified: ofbiz/branches/release14.12/LICENSE
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff
>>
>> ==============================================================================
>> --- ofbiz/branches/release14.12/LICENSE (original)
>> +++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
>> @@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
>> framework/base/lib/j2eespecs/el-api-2.2.jar
>> framework/base/lib/j2eespecs/jsp-api-2.2.jar
>> framework/base/lib/j2eespecs/servlet-api-3.0.jar
>> +framework/base/lib/owasp-java-html-sanitizer-r239.jar
>> framework/base/lib/scripting/bsf-2.4.0.jar
>> framework/base/lib/scripting/jakarta-oro-2.0.8.jar
>> framework/base/lib/scripting/groovy-all-2.2.1.jar
>>
>> Modified:
>> ofbiz/branches/release14.12/applications/content/config/content.properties
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff
>>
>> ==============================================================================
>> ---
>> ofbiz/branches/release14.12/applications/content/config/content.properties
>> (original)
>> +++
>> ofbiz/branches/release14.12/applications/content/config/content.properties
>> Tue Oct 13 00:45:31 2015
>> @@ -35,3 +35,7 @@ content.upload.always.local.file=true
>>
>> # content output folder (relative to ofbiz.home)
>> content.output.path=runtime/output
>> +
>> +#Should we sanitize generic content by default (specific contents -
>> order, party, category, product, configured product, product promo and work
>> effort - are always encoded)
>> +# This has a slightly impact on the code rendered, see . True By default!
>> +content.sanitize=true
>>
>> Modified:
>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff
>>
>> ==============================================================================
>> ---
>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>> (original)
>> +++
>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
>> Tue Oct 13 00:45:31 2015
>> @@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
>> import org.ofbiz.entity.condition.EntityOperator;
>> import org.ofbiz.entity.util.EntityQuery;
>> import org.ofbiz.entity.util.EntityUtil;
>> +import org.ofbiz.entity.util.EntityUtilProperties;
>> import org.ofbiz.minilang.MiniLangException;
>> import org.ofbiz.minilang.SimpleMapProcessor;
>> import org.ofbiz.service.DispatchContext;
>> @@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
>> import org.ofbiz.service.LocalDispatcher;
>> import org.ofbiz.service.ModelService;
>> import org.ofbiz.service.ServiceUtil;
>> +import org.owasp.html.PolicyFactory;
>> +import org.owasp.html.Sanitizers;
>> import org.xml.sax.InputSource;
>> import org.xml.sax.SAXException;
>>
>> @@ -335,7 +338,23 @@ public class ContentWorker implements or
>> Locale locale, String mimeTypeId, boolean cache) throws
>> GeneralException, IOException {
>> Writer writer = new StringWriter();
>> renderContentAsText(dispatcher, delegator, contentId, writer,
>> templateContext, locale, mimeTypeId, null, null, cache);
>> - return writer.toString();
>> + String rendered = writer.toString();
>> + // According to
>> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
>> + // Normally head should be protected by X-XSS-Protection Response
>> Header by default
>> + if
>> (EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties",
>> "content.sanitize", "true", delegator)
>> + && (rendered.contains("<script>")
>> + || rendered.contains("<!--")
>> + || rendered.contains("<div")
>> + || rendered.contains("<style>")
>> + || rendered.contains("<span")
>> + || rendered.contains("<input")
>> + || rendered.contains("<input")
>> + || rendered.contains("<iframe")
>> + || rendered.contains("<a"))) {
>> + PolicyFactory sanitizer =
>> Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
>> + rendered = sanitizer.sanitize(rendered);
>> + }
>> + return rendered;
>> }
>>
>> public static String renderContentAsText(LocalDispatcher dispatcher,
>> Delegator delegator, String contentId, Appendable out,
>>
>> Modified:
>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff
>>
>> ==============================================================================
>> ---
>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>> (original)
>> +++
>> ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
>> Tue Oct 13 00:45:31 2015
>> @@ -78,7 +78,7 @@ under the License.
>> <p>
>> This is a site to demonstrate the CMS capabilities of
>> OFBiz. Its basic function is the editing of website text
>> inside a browser. If you want to edit the text you are
>> reading now, logon to the backend system, select the content component
>> - click on 'cmssite' in the website list and ten click on the
>> 'cms' button. There you see on the left hand side the tree of this website.
>> + click on 'cmssite' in the website list and then click on
>> the 'cms' button. There you see on the left hand side the tree of this
>> website.
>> If you click on 'homepage' then you can edit the content of
>> this page at the box in the r
>> </p>
>> <p>
>>
>>
>>