From: "Ruth Hoffman" <[email protected]>
Hi Bob:
Thanks for the response. Based on your answer, I'm wondering when OFBiz started
doing this
This effort began around november 2008 and "ended" (not totally complete, say 98%, see
https://issues.apache.org/jira/browse/OFBIZ-1525 for instance) around Mars 2009
and where in the code/or configuration files I can go to remove this logging.
I'm afraid there is nothing in OFBiz currently in OFBiz to remove this kind of loggin. It may be doable and is a part of Esapi
(http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API)
Could this be part of scrubbing that is done as a precursor to using the
sendMail service?
Not it's not specifically related to that.
Jacques
I'm trying to figure out where this is happening. I am posting some text from a textarea. And I'm saving that and then formatting
and sending an email with some of that content.
Thanks again.
Ruth
Bob Morley wrote:
Hi Ruth,
I believe this is the standard Ofbiz validation of incoming parameters to a
service. It appears this is used when the incoming parameter has been
marked as to allow only "safe" html. The implementation makes use of the
DefaultValidator below and can be configured by changing the a xml file. Here
is the comment in the code:
Based on the ESAPI validator configured in the antisamy-esapi.xml file.
So from this I would gauge that you had put something in your screen and
then clicked to post that information to the sever. One of the fields from
your form post contains some characters that the validator deemed to not be
"safe". This type of stuff is usually to guard against sql injection and
such ... My guess is that you pasted some html into a textarea and tried to
do a save?
Ruth Hoffman-2 wrote:
version 803418 (9.04)
Where is this log messaging coming from? What framework or other component is
generating it? And under what types of conditions?
Aug 13, 2009 7:56:49 PM AppNameNotSpecified IntrusionDetector
WARNING: SECURITY-FAILURE anonym...@unknown:unknown -- Invalid HTML input: context=body, errors=[The table tag has been filtered
for security reasons. The contents of the tag will remain in place., The tr tag has been filtered for security reasons. The
contents of the tag will remain in place., The th tag has been filtered for security reasons. The contents of the tag will
remain in place., The tr... *[THIS PART REMOVED]* ...contents of the tag will remain in place., The td tag has been filtered for
security reasons. The contents of the tag will remain in place.]
ValidationException @
org.owasp.esapi.reference.DefaultValidator.getValidSafeHTML(null:-1)
Thanks
Ruth
