Hi Gaetan, Did you solve the issue you were having with HTML validation?
On Tue, 18 Oct 2022 at 09:58, Gaetan <gaetan.chabous...@nereide.fr> wrote: > Hello community, > We are under the process of migrating ofbiz from 18 to 22 for a project, > and we saw some part of the code that we would like to discuss. > > Our case is the following : > - We have this string as input data : > "MY ITEM DESSCRIPTION\rS:UK 5.5 - EU 39 - CC:126334" > - We are calling the service `createShoppingListOrderItemAttribute` with > `attrValue` set with the previous string. > - this service has and safe html policy. > ```xml > <override name="attrValue" allow-html="safe"/> > ``` > - the service fails because of security validation process. > - we got puzzled and analyzed the code, and found this : > UtilCodec:L538 > ```java > String filtered = policy.sanitize(value); > String unescapeHtml4 = StringEscapeUtils.unescapeHtml4(filtered); > String unescapeEcmaScriptAndHtml4 = > StringEscapeUtils.unescapeEcmaScript(unescapeHtml4); > // Replaces possible quotes entities in value (due to > HtmlSanitizer above) to avoid issue with > // testCreateCustRequestItemNote and allow saving when using > quotes in fields > if (filtered != null && !value.replace("'", > "'").replace(""", "\"").equals(unescapeEcmaScriptAndHtml4)) { > String issueMsg = null; > if (locale.equals(new Locale("test"))) { // labels are not > available in testClasses Gradle task > issueMsg = "In field [" + valueName + "] by our input > policy, your input has not been accepted " > + "for security reason. Please check and modify > accordingly, thanks."; > } else { > issueMsg = > UtilProperties.getMessage("SecurityUiLabels", "PolicySafe", > UtilMisc.toMap("valueName", valueName), locale); > } > errorMessageList.add(issueMsg); > } > ``` > From what we understood, the input string is parsed as HTML and > Javascript, and then compared to the initial string. > If the initial and the parsed string are different, then there is a > security issue, and an error is added to the service return. > > This causes us some questions and issues, with the example string above, > and more specifically the `\r` string. > Because the `StringEscapeUtils.unescapeEcmaScript()` parses the `\r` > string as the **line break character**, and the comparison doesn't match. > So for us, in this case, the security validation doesn't allow the > string even though there is no security issue. > > Could someone give some guidance or explanation on why this is done like > this ? > Thanks a lot in advance > > -- Daniel Watford