You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Daniel Watford <da...@foomoo.co.uk> on 2022/11/13 17:00:59 UTC
Re: Question/reflexion about html validation
Hi Gaetan,
Did you solve the issue you were having with HTML validation?
On Tue, 18 Oct 2022 at 09:58, Gaetan <ga...@nereide.fr> wrote:
> Hello community,
> We are under the process of migrating ofbiz from 18 to 22 for a project,
> and we saw some part of the code that we would like to discuss.
>
> Our case is the following :
> - We have this string as input data :
> "MY ITEM DESSCRIPTION\rS:UK 5.5 - EU 39 - CC:126334"
> - We are calling the service `createShoppingListOrderItemAttribute` with
> `attrValue` set with the previous string.
> - this service has and safe html policy.
> ```xml
> <override name="attrValue" allow-html="safe"/>
> ```
> - the service fails because of security validation process.
> - we got puzzled and analyzed the code, and found this :
> UtilCodec:L538
> ```java
> String filtered = policy.sanitize(value);
> String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);
> String unescapeEcmaScriptAndHtml4 =
> StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
> // Replaces possible quotes entities in value (due to
> HtmlSanitizer above) to avoid issue with
> // testCreateCustRequestItemNote and allow saving when using
> quotes in fields
> if (filtered != null && !value.replace("'",
> "'").replace(""", "\"").equals(unescapeEcmaScriptAndHtml4)) {
> String issueMsg = null;
> if (locale.equals(new Locale("test"))) { // labels are not
> available in testClasses Gradle task
> issueMsg = "In field [" + valueName + "] by our input
> policy, your input has not been accepted "
> + "for security reason. Please check and modify
> accordingly, thanks.";
> } else {
> issueMsg =
> UtilProperties.getMessage("SecurityUiLabels", "PolicySafe",
> UtilMisc.toMap("valueName", valueName), locale);
> }
> errorMessageList.add(issueMsg);
> }
> ```
> From what we understood, the input string is parsed as HTML and
> Javascript, and then compared to the initial string.
> If the initial and the parsed string are different, then there is a
> security issue, and an error is added to the service return.
>
> This causes us some questions and issues, with the example string above,
> and more specifically the `\r` string.
> Because the `StringEscapeUtils.unescapeEcmaScript()` parses the `\r`
> string as the **line break character**, and the comparison doesn't match.
> So for us, in this case, the security validation doesn't allow the
> string even though there is no security issue.
>
> Could someone give some guidance or explanation on why this is done like
> this ?
> Thanks a lot in advance
>
>
--
Daniel Watford