Hi Ruth, Thanks for giving the heads-up regarding the loglevel in the esapi.properties file.
Regards, Pierre Smits *ORRTIZ.COM <http://www.orrtiz.com>* Services & Solutions for Cloud- Based Manufacturing, Professional Services and Retail & Trade http://www.orrtiz.com On Mon, Oct 21, 2013 at 11:07 PM, Ruth Hoffman <[email protected]>wrote: > Hi Skip: > For what it is worth, I had the same issue and I couldn't for the life of > me figure out why I was see these messages. I also would be interested in > knowing where (and why) this message is being thrown since if you read the > message content, there doesn't seem to be anything "invalid" about the HTML. > > FYI - To get rid of this annoying message, I ended up setting the the > ESAPI.properties file entry: > > LogLevel=ERROR > > So at least the error messages were not being displayed. > > Hope that helps. > Ruth Hoffman > > That was obvious to me because of a line I left out of error message: >> >> ValidationException @ org.owasp.esapi.reference.** >> DefaultValidator.getValidSaf >> eHTML(null:-1) >> >> However, that puts me no closer to understanding where it is coming from >> originally. This function is called originally in ModelService .validate >> and there is a line of code there that sez something like >> if(errorMessageList.size() > 0) thow ... >> >> There are no exceptions in the log and no user has reported one. I am >> just >> seeing this on the console screen. >> >> So, how do I find out which service is causing this? >> >> Skip >> >> -----Original Message----- >> From: Adrian Crum >> [mailto:adrian.crum@sandglass-**software.com<[email protected]> >> ] >> Sent: Monday, October 21, 2013 11:13 AM >> To: [email protected] >> Subject: Re: html validation errors >> >> >> Most likely that is coming from OWASP/ESAPI. >> >> Adrian Crum >> Sandglass Software >> www.sandglass-software.com >> >> On 10/21/2013 10:49 AM, Skip wrote: >> >>> I am getting validation errors on System.err that look like this: >>> >>> Oct 21, 2013 9:25:57 AM AppNameNotSpecified IntrusionDetector >>> WARNING: SECURITY-FAILURE Anonymous@unknown:unknown -- Invalid HTML >>> input: >>> context=content, errors=[The <b>html</b> tag has been filtered for >>> >> security >> >>> reasons. >>> The contents of the tag will remain in place., The <b>head</b> tag has >>> >> been >> >>> filtered for security reasons. The contents of the tag will remain in >>> place., The <b>meta</b> tag has been filtered for security reasons. The >>> contents of the tag will remain in place., The <b>title</b> tag has been >>> filtered for security reasons. The contents of the tag will remain in >>> place., The <b>style</b> tag has been filtered for security reasons. The >>> contents of the tag will remain in place., The <b>body</b> tag has been >>> filtered for security reasons. The contents of the tag >>> will remain in place., The <b>h1</b> tag has been filtered for >>> security >>> reasons. The contents of the tag will remain in place., The <b>h1</b> tag >>> has been filtered for security reasons. The contents of the tag will >>> >> remain >> >>> in place.] >>> >>> I would like to track down where this is coming from, but there is no >>> information in the logs. >>> >>> Can anyone provide a clue? >>> >>> Skip >>> >>> >> >
