[
https://issues.apache.org/jira/browse/OFBIZ-12273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17374953#comment-17374953
]
Jacques Le Roux commented on OFBIZ-12273:
-----------------------------------------
Hi Sebastian,
My changes in OFBIZ-12249 were only to handle textareas. The case Nicolas
reported is not related to a textarea. So I simply bypass this special case.
For now I keep the localhost check in UtilHttp::extractUrls because a such URL
can be used in a textarea during development. I'll verify that this does not
introduce a possible vulnerability in production. Do you have already an idea
about that?
I did not put in a way to customise using a property because I did not see any
other "protocols" that could be used in textareas. I thought about webdav, but
it uses http/s so it's already handled. Do you think about something else? Of
course it would be easy to set a such thing, and you could provide it if you
need.
> IndexOutOfBoundsException on Entity Import
> ------------------------------------------
>
> Key: OFBIZ-12273
> URL: https://issues.apache.org/jira/browse/OFBIZ-12273
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 18.12.01, Release Branch 17.12, Trunk
> Reporter: Sebastian Berg
> Assignee: Jacques Le Roux
> Priority: Major
>
> I get an IndexOutOfBoundsException when using the EntityImport.
> The problem occurs while having a resemblance of an url in the data.
> For example '
> screenPath="component://project/widget/project/ContentScreens.xml#main-page-template"'
> is interpreted as url because of '://' but doesn't match a valid url
> pattern.
> The problem seems to be directly connected to Issue 12249. I think the used
> pattern in UtilHttp.exctractUrl() should at least be configureable like the
> customSafePolicy. [~jleroux] maybe you can have a look since you implemented
> the changes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
