Question/reflexion about html validation

Tue, 18 Oct 2022 01:58:12 -0700 

Hello community,
We are under the process of migrating ofbiz from 18 to 22 for a project, and we saw some part of the code that we would like to discuss. 

Our case is the following :
- We have this string as input data :
"MY ITEM DESSCRIPTION\rS:UK 5.5 - EU 39 - CC:126334"

- We are calling the service `createShoppingListOrderItemAttribute` with 
`attrValue` set with the previous string.

- this service has and safe html policy.
```xml
<override name="attrValue" allow-html="safe"/>
```
- the service fails because of security validation process.
- we got puzzled and analyzed the code, and found this :
UtilCodec:L538
```java
        String filtered = policy.sanitize(value);
        String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered);

        String unescapeEcmaScriptAndHtml4 = 
StringEscapeUtils.unescapeEcmaScript(unescapeHtml4);
        // Replaces possible quotes entities in value (due to 
HtmlSanitizer above) to avoid issue with
        // testCreateCustRequestItemNote and allow saving when using 
quotes in fields
        if (filtered != null && !value.replace("&#39;", 
"'").replace("&#34;", "\"").equals(unescapeEcmaScriptAndHtml4)) {

            String issueMsg = null;

            if (locale.equals(new Locale("test"))) { // labels are not 
available in testClasses Gradle task
                issueMsg = "In field [" + valueName + "] by our input 
policy, your input has not been accepted "
                        + "for security reason. Please check and modify 
accordingly, thanks.";

            } else {

                issueMsg = 
UtilProperties.getMessage("SecurityUiLabels", "PolicySafe",

                        UtilMisc.toMap("valueName", valueName), locale);
            }
            errorMessageList.add(issueMsg);
        }
```

From what we understood, the input string is parsed as HTML and 
Javascript, and then compared to the initial string.
If the initial and the parsed string are different, then there is a 
security issue, and an error is added to the service return.



This causes us some questions and issues, with the example string above, 
and more specifically the `\r` string.
Because the `StringEscapeUtils.unescapeEcmaScript()` parses the `\r` 
string as the **line break character**, and the comparison doesn't match.
So for us, in this case, the security validation doesn't allow the 
string even though there is no security issue.



Could someone give some guidance or explanation on why this is done like 
this ?

Thanks a lot in advance























					Reply via email to