[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16787637#comment-16787637
]
Jacques Le Roux commented on OFBIZ-10187:
-
Hi Michael,
Agreed, it should be another Jira based on the work Dennis did here (still to
be rewieved).
Because, as I wrote many times, owasp.esapi is flawed and that was the reason
the sanitizer and policies were created. I'll see that later...
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16787225#comment-16787225
]
Michael Brohl commented on OFBIZ-10187:
---
[~jacques.le.roux],
I think we should not mix up things too much. This issue and the patch Dennis
provided addresses the problem that the sanitizer policy is too restrictive for
real world projects. It improves the current implementation by adding more
flexibility for users while still preserving the status quo in the default
setting.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16787037#comment-16787037
]
Jacques Le Roux commented on OFBIZ-10187:
-
Thanks Dennis,
I'll have a look ASAP which should not be this weekend but the next, at the
earliest.
We need to extend policies usage to fix issues like OFBIZ-5254, OFBIZ-10054 and
at large contiue the work began at OFBIZ-5343 and especially answer to
discussion like https://markmail.org/message/gdyolxnpl5heu6ru. In other words
to completely replace owasp.esapi by policies everywhere.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16787012#comment-16787012
]
Dennis Balkir commented on OFBIZ-10187:
---
Hi Jacques, Michael,
since this is something I stumbled upon while working on a project, I took my
time to implement a fix to this.
I added some funtionality and made the whole sanitizing process more
customizable this way.
This is the way it works:
* There is now a properties {{sanitizer.enable}}, which I added to
owasp.properties, that can turn on or off the whole sanitizing process
* I changed the existing property {{sanitizer.permissive.policy}} from boolean
use to text use
* With {{sanitizer.permissive.policy=CUSTOM}} it is now possible to use a
customized policy, which then replaces the {{PERMISSIVE_POLICY}}
** I implemented an Interface, which is the base for the custom policy
** There is another property {{sanitizer.custom.policy.class}} in which a class
path can be specified
** The sanitize method will get the class for the path from the property and
will check if it implements the mentioned interface
** When the class implements the interface, a method {{getSanitizerPolicy()}}
is used and will return the specified policy of the custom class
** When failing, the default {{PERMISSIVE_POLICY}} is used as a fallback
I also added a class {{CustomPermissivePolicy}} which can be used as an example
for this customizing process.
There also should be no invulnerable policies in there, so it should be safe to
use, even without changing it at all.
It also features many attributed and elements that the current
{{PERMISSIVE_POLICY}} is missing.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dennis Balkir updated OFBIZ-10187:
--
Attachment: OFBIZ-10187_Sanitizer.patch
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Attachments: OFBIZ-10187_Sanitizer.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (OFBIZ-10846) In AddFinAccountTrans selectable glAccountId values are sorted on glAccountId
Pierre Smits created OFBIZ-10846:
Summary: In AddFinAccountTrans selectable glAccountId values are
sorted on glAccountId
Key: OFBIZ-10846
URL: https://issues.apache.org/jira/browse/OFBIZ-10846
Project: OFBiz
Issue Type: Bug
Components: accounting
Affects Versions: 16.11.05, 16.11.04, Release Branch 16.11, Release Branch
15.12, Trunk, Release Branch 14.12, Release Branch 13.07, 17.12.01, 16.11.06,
Release Branch 17.12, Release Branch 18.12, 18.12.01
Reporter: Pierre Smits
In the AddFinAccountTrans form in FinAccountForms.xml the values in the field
glAccountId are sorted on the primary key, per
{code:java}
{code}
The sort order should however be on the accountCode field of the entity
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-7741) Address scope peculiarities within search/find functionality of projectmgr
[ https://issues.apache.org/jira/browse/OFBIZ-7741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16786706#comment-16786706 ] Michael Brohl commented on OFBIZ-7741: -- Did you check this with other users except the admin users (admin, fulladmin)? The admin user has full permissions in all applications so it is expected that he can see the projects. > Address scope peculiarities within search/find functionality of projectmgr > -- > > Key: OFBIZ-7741 > URL: https://issues.apache.org/jira/browse/OFBIZ-7741 > Project: OFBiz > Issue Type: Improvement > Components: projectmgr >Affects Versions: Trunk, 17.12.01, 16.11.04, 16.11.05 >Reporter: Pierre Smits >Priority: Minor > Attachments: projectmgr-projectsearch-admin.png, > projectmgr-summary-admin.png > > > Currently the search/find functions in the projectmgr component also > retrieves projects a user is not a participant in. This is especially > critical regarding projects with scope 'WES_PRIVATE - private' or > 'WES_CONFIDENTIAL - confidential'. > These project may only be search for/found by users that are exlicit > participants of the projects. This over ruless the generic permissions of > 'PROJECTMGR_ADMIN' or 'PROJECTMGR_VIEW'. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-7741) Address scope peculiarities within search/find functionality of projectmgr
[ https://issues.apache.org/jira/browse/OFBIZ-7741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Brohl updated OFBIZ-7741: - Priority: Minor (was: Critical) > Address scope peculiarities within search/find functionality of projectmgr > -- > > Key: OFBIZ-7741 > URL: https://issues.apache.org/jira/browse/OFBIZ-7741 > Project: OFBiz > Issue Type: Improvement > Components: projectmgr >Affects Versions: Trunk, 17.12.01, 16.11.04, 16.11.05 >Reporter: Pierre Smits >Priority: Minor > Attachments: projectmgr-projectsearch-admin.png, > projectmgr-summary-admin.png > > > Currently the search/find functions in the projectmgr component also > retrieves projects a user is not a participant in. This is especially > critical regarding projects with scope 'WES_PRIVATE - private' or > 'WES_CONFIDENTIAL - confidential'. > These project may only be search for/found by users that are exlicit > participants of the projects. This over ruless the generic permissions of > 'PROJECTMGR_ADMIN' or 'PROJECTMGR_VIEW'. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
