[
https://issues.apache.org/jira/browse/OFBIZ-11265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16965033#comment-16965033
]
Jacques Le Roux edited comment on OFBIZ-11265 at 11/1/19 6:54 PM:
------------------------------------------------------------------
Hi Pradeep,
This issue is currently blocked by OFBIZ-11266.
This said I agree that we should check the {{sanitizer.enable}} properties when
calling {{UtilCodec::checkStringForHtmlSafe.
Note, even if it's obvious, that if an user sets {{sanitizer.enable=false}},
then all the services protected by allow-html="safe" will lose this protection.
I tried using using [^OFBIZ-11265.patch] but got another issue:
{noformat}
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceEcaRule
|I| For Service ECA [updateDataText] on [invoke] got false for condition:
[dataResourceTypeId][not-equals][ELECTRONIC_TEXT][true][S
tring]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceDispatcher
|T| Sync service [lucene/updateDataText] finished in [5] milliseconds
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |GroupServiceModel
|I| Running grouped service [updateContent]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ModelService
|E| [ModelService.validate] : {updateContent} : (IN) Required test error:
org.apache.ofbiz.service.ServiceValidationException: Le p
aramètre requis suivant manque : [IN] [updateContent.contentId]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceDispatcher
|E| Incoming context (in runSync : updateContent) does not match expected
requirements
org.apache.ofbiz.service.ServiceValidationException: Le paramètre requis
suivant manque : [IN] [updateContent.contentId]
{noformat}
I gave up at this stage for now.
was (Author: jacques.le.roux):
Hi Pradeep,
This issue is currently blocked by OFBIZ-11266.
This said I agree that we should check the {{sanitizer.enable}} properties when
calling {{UtilCodec::checkStringForHtmlSafe.
Note, even if it's obvious, that if an user sets {{sanitizer.enable=false}},
then all the services protected by allow-html="safe" will lose this protection.
I tried using using but got another issue:
{noformat}
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceEcaRule
|I| For Service ECA [updateDataText] on [invoke] got false for condition:
[dataResourceTypeId][not-equals][ELECTRONIC_TEXT][true][S
tring]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceDispatcher
|T| Sync service [lucene/updateDataText] finished in [5] milliseconds
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |GroupServiceModel
|I| Running grouped service [updateContent]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ModelService
|E| [ModelService.validate] : {updateContent} : (IN) Required test error:
org.apache.ofbiz.service.ServiceValidationException: Le p
aramètre requis suivant manque : [IN] [updateContent.contentId]
2019-11-01 19:23:27,076 |jsse-nio-8443-exec-1 |ServiceDispatcher
|E| Incoming context (in runSync : updateContent) does not match expected
requirements
org.apache.ofbiz.service.ServiceValidationException: Le paramètre requis
suivant manque : [IN] [updateContent.contentId]
{noformat}
I gave up at this stage for now.
> Getting policy error while editing html text data using cms
> -----------------------------------------------------------
>
> Key: OFBIZ-11265
> URL: https://issues.apache.org/jira/browse/OFBIZ-11265
> Project: OFBiz
> Issue Type: Improvement
> Reporter: Pradeep Choudhary
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01
>
> Attachments: OFBIZ-11265.patch, OFBIZ-11265.patch
>
>
> Service parameter with allow-html="safe" does not check the OWASP sanitizer
> flag ie. enabled or not and perform sanitization which causing policy error
> while editing text data
> getting following exception error:
> "In field [textData] by our input policy, your input has not been accepted
> for security reason. Please check and modify accordingly, thanks."
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
