This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release22.01 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit ed6e413569953c542e927aadd466808e9875897c Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Jul 1 17:26:18 2022 +0200 Improved: CustomSafePolicy, also use TagBalancingHtmlStreamEventReceiver (OFBIZ-12653) Adds <img> and <hr> to CustomSafePolicy, removes obsolete <tt>. <img> allows only attributes src and alt. Both <br> and <br /> are correct. For that, this rather uses TagBalancingHtmlStreamEventReceiver Thanks: Ingo Wolfmayr --- .../apache/ofbiz/base/html/CustomSafePolicy.java | 3 +- .../java/org/apache/ofbiz/base/util/UtilCodec.java | 33 +++++++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java index 5bb2f8f193..0a6cff33d6 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/html/CustomSafePolicy.java @@ -60,7 +60,8 @@ public class CustomSafePolicy implements SanitizerCustomPolicy { .matching(true, "center", "left", "right", "justify", "char") .onElements("p") // These elements are allowed. - .allowElements("a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul", "ol", "li") + .allowElements("a", "p", "div", "i", "b", "em", "blockquote", "hr", "strong", "br", "ul", "ol", "li", "img") + .allowAttributes("src", "alt").onElements("img") .toFactory(); @Override diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java index 495befd3c5..e4ac346fc0 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java @@ -40,9 +40,13 @@ import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.HTMLEntityCodec; import org.owasp.esapi.codecs.PercentCodec; import org.owasp.esapi.codecs.XMLEntityCodec; +import org.owasp.html.Handler; import org.owasp.html.HtmlPolicyBuilder; +import org.owasp.html.HtmlSanitizer; +import org.owasp.html.HtmlStreamRenderer; import org.owasp.html.PolicyFactory; import org.owasp.html.Sanitizers; +import org.owasp.html.TagBalancingHtmlStreamEventReceiver; @SuppressWarnings("rawtypes") public class UtilCodec { @@ -490,7 +494,34 @@ public class UtilCodec { } if (value != null) { - value = value.replaceAll("<br>", "<br />"); // Both are OK, so <br> is accepted, see OFBIZ-12653 + //Create valid HTML from input with empty sanitizer. Compare the result with the sanitized result. + StringBuilder htmlOutput = new StringBuilder(); + HtmlStreamRenderer renderer = HtmlStreamRenderer.create(htmlOutput, Handler.DO_NOTHING); + TagBalancingHtmlStreamEventReceiver balancer = new TagBalancingHtmlStreamEventReceiver(renderer); + HtmlSanitizer.sanitize(value, new HtmlSanitizer.Policy() { + @Override + public void openDocument() { + balancer.openDocument(); + } + @Override + public void openTag(String tagName, List<String> attrs) { + balancer.openTag(tagName, attrs); + } + @Override + public void text(String text) { + balancer.text(text); + } + @Override + public void closeTag(String tagName) { + balancer.closeTag(tagName); + } + @Override + public void closeDocument() { + balancer.closeDocument(); + } + }); + + value = htmlOutput.toString(); String filtered = policy.sanitize(value); String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered); String unescapeEcmaScriptAndHtml4 = StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);