You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Pradeep Choudhary (Jira)" <ji...@apache.org> on 2019/11/01 04:12:00 UTC

[jira] [Comment Edited] (OFBIZ-11265) Getting policy error while editing html text data using cms

    [ https://issues.apache.org/jira/browse/OFBIZ-11265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16963696#comment-16963696 ] 

Pradeep Choudhary edited comment on OFBIZ-11265 at 11/1/19 4:11 AM:
--------------------------------------------------------------------

As checked, data sanitization takes place during the service validation in the following steps:
 # If the service parameter contains allow-html="safe", it calls *UtilCodec.checkStringForHtmlSafe* method for data sanitization.
 # It doesn't check the OWASP sanitizer configuration ie. sanitizer is enabled or disabled.
 # Perform policy checks and sanitization without entertaining the configuration flag.

 

IMO, UtilCodec.checkStringForHtmlSafe method should have proper checks to validate sanitizer configuration, which will perform the further operation only if the user enables the flag.

 

WDYT?

 


was (Author: pradeep.choudhary1994):
As checked, data sanitization is done during the service validation in the following steps:
 # If the service parameter contains allow-html="safe", it calls *UtilCodec.checkStringForHtmlSafe* method for data sanitization.
 # It doesn't check the OWASP sanitizer configuration ie. sanitizer is enabled or disabled.
 # Perform policy checks and sanitization without entertaining the configuration flag.

 

IMO, UtilCodec.checkStringForHtmlSafe method should have proper checks to validate sanitizer configuration, which will perform the further operation only if the user enables the flag.

 

WDYT?

 

> Getting policy error while editing html text data using cms
> -----------------------------------------------------------
>
>                 Key: OFBIZ-11265
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11265
>             Project: OFBiz
>          Issue Type: Improvement
>            Reporter: Pradeep Choudhary
>            Priority: Major
>             Fix For: 17.12.01
>
>
> Service parameter with allow-html="safe" does not check the OWASP sanitizer flag ie. enabled or not and perform sanitization which causing policy error while editing text data
> getting following exception error:
> "In field [textData] by our input policy, your input has not been accepted for security reason. Please check and modify accordingly, thanks."



--
This message was sent by Atlassian Jira
(v8.3.4#803005)