Re: svn commit: r1708275 - in /ofbiz/branches/release14.12: ./ applications/content/config/ applications/content/src/org/ofbiz/content/content/ framework/base/lib/ specialpurpose/cmssite/data/

Tue, 13 Oct 2015 08:37:52 -0700 

Hi Deepak

Indeed something is not working in R14.12, I don't see any missing dependencies 
(it compiles w/o issues), I'll have a nook, thanks!

Jacques

Le 13/10/2015 13:50, Deepak Dixit a écrit :

Hi Jacques,

I am getting following exception on 14.12:

{code}
  java.lang.NoClassDefFoundError: Could not initialize class
org.owasp.html.Sanitizers
     [java] at
org.ofbiz.content.content.ContentWorker.renderContentAsText(ContentWorker.java:354)
~[ofbiz-content.jar:?]
     [java] at
org.ofbiz.content.content.ContentMapFacade.renderThis(ContentMapFacade.java:343)
~[ofbiz-content.jar:?]
     [java] at
org.ofbiz.content.content.ContentMapFacade.toString(ContentMapFacade.java:355)
~[ofbiz-content.jar:?]
     [java] at
freemarker.ext.beans.StringModel.getAsString(StringModel.java:61)
~[freemarker-2.3.22.jar:2.3.22]
     [java] at freemarker.core.EvalUtil.modelToString(EvalUtil.java:55)
~[freemarker-2.3.22.jar:2.3.22]
     [java] at
freemarker.core.EvalUtil.coerceModelToString(EvalUtil.java:340)
~[freemarker-2.3.22.jar:2.3.22]

{code}

Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com

On Tue, Oct 13, 2015 at 6:15 AM, <[email protected]> wrote:


Author: jleroux
Date: Tue Oct 13 00:45:31 2015
New Revision: 1708275

URL: http://svn.apache.org/viewvc?rev=1708275&view=rev
Log:
"Applied fix from trunk for revision: 1708274  " (handled conflicts on
.classpath by hand)
------------------------------------------------------------------------
r1708274 | jleroux | 2015-10-13 02:40:47 +0200 (mar. 13 oct. 2015) | 1
ligne

Fix for ContentWorker at OFBIZ-6669. For that I have added
owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true"
property in content.properties with some explanations. The reason I put
this property is because the sanitizer does some (safe) changes which might
be unwanted in a context where you are "sure" no one can inject/exploit
your DB, see the JIra issue for details. Note that this does not affect the
*ContentWrapper.java classes where we use OWASP encoding and not sanitizer.
The reason we need the sanitizer here is because we are no only handling
content but also HTML code...
------------------------------------------------------------------------


Added:

ofbiz/branches/release14.12/framework/base/lib/owasp-java-html-sanitizer-r239.jar
       - copied unchanged from r1708274,
ofbiz/trunk/framework/base/lib/owasp-java-html-sanitizer-r239.jar
Modified:
     ofbiz/branches/release14.12/   (props changed)
     ofbiz/branches/release14.12/.classpath
     ofbiz/branches/release14.12/LICENSE

ofbiz/branches/release14.12/applications/content/config/content.properties

ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java

ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml

Propchange: ofbiz/branches/release14.12/

------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Oct 13 00:45:31 2015
@@ -8,4 +8,4 @@
  /ofbiz/branches/json-integration-refactoring:1634077-1635900
  /ofbiz/branches/multitenant20100310:921280-927264
  /ofbiz/branches/release13.07:1547657

-/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,

  
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
  77,1706591,1706694,1707837,1707857

+/ofbiz/trunk:1649072,1649083-1649084,1649086,1649090,1649096,1649230,1649238-1649239,1649248,1649272,1649275,1649280-1649281,1649283,1649285-1649286,1649291,1649329,1649331,1649384,1649393,1649666,1649742,1650240,1650348,1650357,1650583,1650642,1650678,1650821,1650882,1650887,1650938,1651593,1652312,1652361,1652638,1652641,1652672,1652688,1652706,1652725,1652731,1652739,1652852,1653248,1653296,1653456,1653597,1653614,1654175,1654273,1654509,1654670,1654672-1654673,1654683-1654684,1654824,1655046,1655668,1655979,1656014,1656185,1656198,1656445,1656983,1657323,1657506-1657507,1657514,1657714,1657790,1657848,1658364,1658662,1658882,1659224,1659965,1660031,1660053,1660389,1660444,1660579,1661303,1661328,1661760,1661778,1661853,1661862,1661873,1661940,1661951,1661977,1662119-1662120,1662361,1662500,1662812,1662919,1663202,1663912,1663979,1664602,1664604,1664696,1665154,1665162,1665535,1666404,1666511,1666633,1666836,1666939,1666949,1666958,1667055,1667253,1667483,1667492,1667774,1668207,

  
1668214,1668236,1668246,1668258,1668263,1668265,1668270,1668277,1668314,1668657,1669317,1669588,1672427,1672430,1672846,1672853,1672856,1672862,1672873,1673764,1674447,1674464,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1679709,1679720,1679728,1679732,1679957,1680155,1680288,1680304,1680671,1680675,1680733,1680840,1680881,1682272,1682295,1682415,1682633,1683998,1684094,1686360,1686536,1686545,1686566,1686569,1686574,1686583,1686635,1686651,1686970,1687427,1688772,1690086,1690581,1692357,1692458,1692600,1692604,1693393,1693579,1695017,1696018,1696234,1697590,1697647,1697993,1698259,1698261,1698263,1701164,1701441,1701819,1701825,1701936,1702002,1702548,1702704,1703121,1703586,1703945,1703954,1703965,1703971,1703976-1703977,1703981,1704000,1704014,1704018,1704036,1704043,1704052,1704082,1704140,1704230,1705004,1705329,1705405,1705412,1705417,1705427,1705532,1706159,1706162,1706316,1706531,1706549,1706553,1706561,1706569,17065
  77,1706591,1706694,1707837,1707857,1708274

Modified: ofbiz/branches/release14.12/.classpath
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release14.12/.classpath?rev=1708275&r1=1708274&r2=1708275&view=diff

==============================================================================
--- ofbiz/branches/release14.12/.classpath (original)
+++ ofbiz/branches/release14.12/.classpath Tue Oct 13 00:45:31 2015
@@ -41,6 +41,7 @@
      <classpathentry kind="lib"
path="framework/base/lib/log4j-api-2.3.jar"/>
      <classpathentry kind="lib" path="framework/base/lib/mail-1.5.1.jar"/>
      <classpathentry kind="lib"
path="framework/base/lib/nekohtml-1.9.16.jar"/>
+    <classpathentry kind="lib"
path="framework/base/lib/owasp-java-html-sanitizer-r239.jar"/>
      <classpathentry kind="lib" path="framework/base/lib/esapi-2.1.0.jar"/>
      <classpathentry kind="lib"
path="framework/base/lib/resolver-2.9.1.jar"/>
      <classpathentry kind="lib"
path="framework/base/lib/serializer-2.9.1.jar"/>

Modified: ofbiz/branches/release14.12/LICENSE
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release14.12/LICENSE?rev=1708275&r1=1708274&r2=1708275&view=diff

==============================================================================
--- ofbiz/branches/release14.12/LICENSE (original)
+++ ofbiz/branches/release14.12/LICENSE Tue Oct 13 00:45:31 2015
@@ -67,6 +67,7 @@ framework/base/lib/j2eespecs/annotations
  framework/base/lib/j2eespecs/el-api-2.2.jar
  framework/base/lib/j2eespecs/jsp-api-2.2.jar
  framework/base/lib/j2eespecs/servlet-api-3.0.jar
+framework/base/lib/owasp-java-html-sanitizer-r239.jar
  framework/base/lib/scripting/bsf-2.4.0.jar
  framework/base/lib/scripting/jakarta-oro-2.0.8.jar
  framework/base/lib/scripting/groovy-all-2.2.1.jar

Modified:
ofbiz/branches/release14.12/applications/content/config/content.properties
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/config/content.properties?rev=1708275&r1=1708274&r2=1708275&view=diff

==============================================================================
---
ofbiz/branches/release14.12/applications/content/config/content.properties
(original)
+++
ofbiz/branches/release14.12/applications/content/config/content.properties
Tue Oct 13 00:45:31 2015
@@ -35,3 +35,7 @@ content.upload.always.local.file=true

  # content output folder (relative to ofbiz.home)
  content.output.path=runtime/output
+
+#Should we sanitize generic content by default (specific contents -
order, party, category, product, configured product, product promo and work
effort - are always encoded)
+# This has a slightly impact on the code rendered, see . True By default!
+content.sanitize=true

Modified:
ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java?rev=1708275&r1=1708274&r2=1708275&view=diff

==============================================================================
---
ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
(original)
+++
ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWorker.java
Tue Oct 13 00:45:31 2015
@@ -54,6 +54,7 @@ import org.ofbiz.entity.condition.Entity
  import org.ofbiz.entity.condition.EntityOperator;
  import org.ofbiz.entity.util.EntityQuery;
  import org.ofbiz.entity.util.EntityUtil;
+import org.ofbiz.entity.util.EntityUtilProperties;
  import org.ofbiz.minilang.MiniLangException;
  import org.ofbiz.minilang.SimpleMapProcessor;
  import org.ofbiz.service.DispatchContext;
@@ -61,6 +62,8 @@ import org.ofbiz.service.GenericServiceE
  import org.ofbiz.service.LocalDispatcher;
  import org.ofbiz.service.ModelService;
  import org.ofbiz.service.ServiceUtil;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
  import org.xml.sax.InputSource;
  import org.xml.sax.SAXException;

@@ -335,7 +338,23 @@ public class ContentWorker implements or
              Locale locale, String mimeTypeId, boolean cache) throws
GeneralException, IOException {
          Writer writer = new StringWriter();
          renderContentAsText(dispatcher, delegator, contentId, writer,
templateContext, locale, mimeTypeId, null, null, cache);
-        return writer.toString();
+        String rendered = writer.toString();
+        // According to
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
+        // Normally head should be protected by X-XSS-Protection Response
Header by default
+        if
(EntityUtilProperties.propertyValueEqualsIgnoreCase("content.properties",
"content.sanitize", "true", delegator)
+                && (rendered.contains("<script>")
+                || rendered.contains("<!--")
+                || rendered.contains("<div")
+                || rendered.contains("<style>")
+                || rendered.contains("<span")
+                || rendered.contains("<input")
+                || rendered.contains("<input")
+                || rendered.contains("<iframe")
+                || rendered.contains("<a"))) {
+            PolicyFactory sanitizer =
Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
+            rendered = sanitizer.sanitize(rendered);
+        }
+        return rendered;
      }

      public static String renderContentAsText(LocalDispatcher dispatcher,
Delegator delegator, String contentId, Appendable out,

Modified:
ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml?rev=1708275&r1=1708274&r2=1708275&view=diff

==============================================================================
---
ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
(original)
+++
ofbiz/branches/release14.12/specialpurpose/cmssite/data/CmsSiteDemoData.xml
Tue Oct 13 00:45:31 2015
@@ -78,7 +78,7 @@ under the License.
                <p>
                This is a site to demonstrate the CMS capabilities of
OFBiz. Its basic function is the editing of website text
                inside a browser. If you want to edit the text you are
reading now, logon to the backend system, select the content component
-              click on 'cmssite' in the website list and ten click on the
'cms' button. There you see on the left hand side the tree of this website.
+              click on 'cmssite' in the website list and then click on
the 'cms' button. There you see on the left hand side the tree of this
website.
                If you click on 'homepage' then you can edit the content of
this page at the box in the r
                </p>
                <p>

Reply via email to