Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-6669

Possible stored XSS issue with Content

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk
    • Fix Version/s: 14.12.01, 16.11.01
    • Component/s: content, order, party, product, workeffort
    • Labels:
      None

      Description

      I found a possible XSS attack through *ContentWrapper.java and ContentWorker itself.

      Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB.

      Issues in *ContentWrapper.java have already been fixed by changing the ContentWrapper interface
      from

          public interface ContentWrapper {
              public StringUtil.StringWrapper get(String contentTypeId);
          }
      

      to

          public interface ContentWrapper {
              public StringUtil.StringWrapper get(String contentTypeId, String encoderType) {
          }
      

      And changing the Category, Party, Product, ProductPromo, ProductConfigItem and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url".
      The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType.
      It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc.

      It seems a big change but it's straightforward. It's now complete after following commits in revisions (I hope I did not miss to report):
      trunk 1705329 1705417 1705427 1705532 1706159 1706162 1707857 1708930
      and related backports in R14.12 1705331 1705418 1705428 1705533 1706160 1706163 1707858 1708931

      I have also committed a fix for ContentWorker. For that I have added owasp-java-html-sanitizer-r239.jar and put a "content.sanitize=true" property in content.properties with some explanations. The reason I put this property is because the sanitizer does some (safe) changes which might be unwanted in a context where you are "sure" no one can inject/exploit your DB.

      Here is for instance the changes the sanitizer does when rendering cmssite

      @@ -19,7 +19,7 @@
       <body>
      
      
      -            <div id="header">
      +            <div>
                       <h1>This is the header!</h1>
                   </div>
      
      @@ -27,34 +27,26 @@
      
                   <div>
                     <h1>Welcome to the CmsSite Home page.</h1>
      -              <center><table width="350"><tr><td>
      +
                     <p>
                     This is a site to demonstrate the CMS capabilities of OFBiz. Its basic function is the editing of website text
                     inside a browser. If you want to edit the text you are reading now, logon to the backend system, select the content component
      -              click on 'cmssite' in the website list and ten click on the 'cms' button. There you see on the left hand side the tree of this website.
      -              If you click on 'homepage' then you can edit the content of this page at the box in the r
      +              click on &#39;cmssite&#39; in the website list and ten click on the &#39;cms&#39; button. There you see on the left hand side the tree of this website.
      +              If you click on &#39;homepage&#39; then you can edit the content of this page at the box in the r
                     </p>
                     <p>
                     This is only the basic function of the CMS which is part of the content component. The content component is actually more than a
                     CMS it can also handle documents pretty well. An example is the apache OFBiz document you can see when you click on the last option in the list below.
      -              <p>
      -              </td></tr></table></center>
      -              <ul>
      -                <li><a href="/cmssite/cms/CMSS_DEMO_PAGE1">Demo Page 1 - Hard Coded Link</a></div>
      -                <li><a href="/cmssite/cms/CMSS_PPOINT/demoPage1">Demo Page 1 - Hard Coded Link using the Sub-Content Pattern</a></li>
      -                <li><a href="/cmssite/cms/CMSS_DEMO_PAGE1;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page 1 - Dynamic Link</a></li>
      -                <li><a href="/cmssite/cms/CMSS_DEMO_SCREEN;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with screen widget and screen decorator</a></li>
      -                <li><a href="/cmssite/cms/CMSS_DEMO_BLOG;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with blog using screen decorator</a></li>
      -                <li><a href="/cmssite/cms/CMSS_DEMO_TPL_DATA;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">Demo Page with an xml resource formatted with a template ftl resource</a></li>
      -                <li><a href="/cmssite/cms/PUBLIC_DOCS;jsessionid=014BD837D7FFB6E0F8CB31AAF35092A0.jvm1">The ofbiz public documents</a></li>
      -              </ul>
      +              </p><p>
      +              </p>
      +              <ul><li><a href="/cmssite/cms/CMSS_DEMO_PAGE1" rel="nofollow">Demo Page 1 - Hard Coded Link</a>
      +                </li><li><a href="/cmssite/cms/CMSS_PPOINT/demoPage1" rel="nofollow">Demo Page 1 - Hard Coded Link using the Sub-Content Pattern</a></li><li><a href="/cmssite/cms/CMSS_DEMO_PAGE1" rel="nofollow">Demo Page 1 - Dynamic Link</a></li><li><a href="/cmssite/cms/CMSS_DEMO_SCREEN" rel="nofollow">Demo Page with screen widget and screen decorator</a></li><li><a href="/cmssite/cms/CMSS_DEMO_BLOG" rel="nofollow">Demo Page with blog using screen decorator</a></li><li><a href="/cmssite/cms/CMSS_DEMO_TPL_DATA" rel="nofollow">Demo Page with an xml resource formatted with a template ftl resource</a></li><li><a href="/cmssite/cms/PUBLIC_DOCS" rel="nofollow">The ofbiz public documents</a></li></ul>
                   </div>
      
      
      -
      -            <div id="footer">
      -                <h4>This is the footer!</h4>
      +            <div>
      +
                   </div>
      -            </body>
      -            </html>
      +
      +
      

      I wonder why it removes the ids, "<center><table" and ending </body> and </html>, but those guys know much more about XSS exploitation than me. As explained at https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project :

      • Actively maintained by Mike Samuel from Google's AppSec team!
      • Passing 95+% of AntiSamy's unit tests plus many more.
      • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.

      Note that this does not affect the *ContentWrapper.java classes where we use OWASP encoding and not sanitizer. The reason we need the sanitizer here is because we are no only handling content but also HTML code...

      1. OFBIZ-6669.patch
        16 kB
        Jacques Le Roux
      2. OFBIZ-6669.patch
        15 kB
        Jacques Le Roux

        Issue Links

          Activity

          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          The ContentWorker is fixed in
          trunk r1708274 + r1708560 + r1712971
          R14.12 r1708275 + r1708471 + r1712972

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited The ContentWorker is fixed in trunk r1708274 + r1708560 + r1712971 R14.12 r1708275 + r1708471 + r1712972
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I don't close because we might want to backport those changes in supported releases...

          Show
          jacques.le.roux Jacques Le Roux added a comment - I don't close because we might want to backport those changes in supported releases...
          Hide
          vyom0213@gmail.com Vyom Jain added a comment -

          If I understand r1708471 commit message, it seems trunk's applications/content has a runtime dependency on specialpurpose/solr because of specialpurpose/solr/lib/runtime/guava-14.0.1.jar. Is this dependency desired, what if someone has disabled the solr component?

          Show
          vyom0213@gmail.com Vyom Jain added a comment - If I understand r1708471 commit message, it seems trunk's applications/content has a runtime dependency on specialpurpose/solr because of specialpurpose/solr/lib/runtime/guava-14.0.1.jar. Is this dependency desired, what if someone has disabled the solr component?
          Hide
          pfm.smits Pierre Smits added a comment -

          What does the guava lib deliver?

          Show
          pfm.smits Pierre Smits added a comment - What does the guava lib deliver?
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Yes right Vyom, I thought just before getting to sleep yesterday night (I don't know you but for me it almost always happen at this moment or when I awake )

          So I will simply move the guava lib from solr to base component. There is already a build dependency from solr to base so that's all what's needed. I feared it could be a problem because the sanitizer dependency on guava lib is at runtime, but it works perfectly well.

          Thanks for the reminder

          Show
          jacques.le.roux Jacques Le Roux added a comment - Yes right Vyom, I thought just before getting to sleep yesterday night (I don't know you but for me it almost always happen at this moment or when I awake ) So I will simply move the guava lib from solr to base component. There is already a build dependency from solr to base so that's all what's needed. I feared it could be a problem because the sanitizer dependency on guava lib is at runtime, but it works perfectly well. Thanks for the reminder
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I'm not quite sure about that, at least the sanitizer needs com/google/common/collect/ImmutableSet, maybe that's all but you can't be sure since once installed no errors come again. More information at https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

          Show
          jacques.le.roux Jacques Le Roux added a comment - I'm not quite sure about that, at least the sanitizer needs com/google/common/collect/ImmutableSet, maybe that's all but you can't be sure since once installed no errors come again. More information at https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          I wonder if we should not close here and create a new issue for the (maybe not easy) backporting task, opinions? On the other hand having all here seems easier...

          OK I create a subtask

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited I wonder if we should not close here and create a new issue for the (maybe not easy) backporting task, opinions? On the other hand having all here seems easier... OK I create a subtask
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          There are much, too much conflicts I finally decided to not backport in supported releases branches

          Show
          jacques.le.roux Jacques Le Roux added a comment - There are much, too much conflicts I finally decided to not backport in supported releases branches
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          I reopen here to allow users to choose to not encode contents in *ContentWrapper classes as they already can with ContentWorker class using content.sanitize property. Actually I will use another content.encode property and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() method and use it in *ContentWrapper classes.

          But the property should not in content application to not introduce a dependency from base, not sure where to put it apart in base itself (in a owasp.properties maybe) to avoid introducing a dependency in base wich is currently clean (does not depend on another OFBiz component):

          C:\projectASF-Mars\ofbiz\framework\base>"C:\Program Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar
          ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar
          ofbiz-base.jar -> not found
          ofbiz-base.jar -> build\lib\ofbiz-base.jar
          ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar
             org.ofbiz.base.component (ofbiz-base.jar)
                -> java.io
                -> java.lang
                -> java.net
                -> java.security
                -> java.util
                -> java.util.concurrent.atomic
                -> javax.xml.parsers
                -> org.ofbiz.base.config                              ofbiz-base.jar
                -> org.ofbiz.base.container                           ofbiz-base.jar
                -> org.ofbiz.base.location                            ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.string                         ofbiz-base.jar
                -> org.w3c.dom
                -> org.xml.sax
             org.ofbiz.base.concurrent (ofbiz-base.jar)
                -> java.lang
                -> java.util
                -> java.util.concurrent
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.config (ofbiz-base.jar)
                -> java.io
                -> java.lang
                -> java.net
                -> java.util
                -> java.util.concurrent
                -> javax.xml.parsers
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.w3c.dom
                -> org.xml.sax
             org.ofbiz.base.container (ofbiz-base.jar)
                -> bsh                                                not found
                -> java.io
                -> java.lang
                -> java.net
                -> java.rmi
                -> java.rmi.registry
                -> java.rmi.server
                -> java.util
                -> java.util.concurrent.atomic
                -> javax.xml.parsers
                -> org.ofbiz.base.component                           ofbiz-base.jar
                -> org.ofbiz.base.config                              ofbiz-base.jar
                -> org.ofbiz.base.start                               not found
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.w3c.dom
                -> org.xml.sax
             org.ofbiz.base.conversion (ofbiz-base.jar)
                -> com.ibm.icu.util                                   not found
                -> java.io
                -> java.lang
                -> java.lang.reflect
                -> java.math
                -> java.net
                -> java.nio
                -> java.nio.charset
                -> java.sql
                -> java.text
                -> java.util
                -> java.util.concurrent
                -> java.util.regex
                -> javax.sql.rowset.serial
                -> org.ofbiz.base.lang                                ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.crypto (ofbiz-base.jar)
                -> java.io
                -> java.lang
                -> java.nio.charset
                -> java.security
                -> java.security.spec
                -> java.util
                -> javax.crypto
                -> javax.crypto.spec
                -> org.apache.commons.codec.binary                    not found
                -> org.apache.commons.lang                            not found
                -> org.apache.shiro.crypto                            not found
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.lang (ofbiz-base.jar)
                -> com.fasterxml.jackson.databind                     not found
                -> java.io
                -> java.lang
                -> java.lang.annotation
                -> org.apache.commons.io                              not found
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.location (ofbiz-base.jar)
                -> java.io
                -> java.lang
                -> java.net
                -> java.util
                -> org.ofbiz.base.component                           ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.metrics (ofbiz-base.jar)
                -> java.lang
                -> java.util
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.w3c.dom
             org.ofbiz.base.splash (ofbiz-base.jar)
                -> java.awt
                -> java.awt.image
                -> java.io
                -> java.lang
                -> org.ofbiz.base.start                               not found
             org.ofbiz.base.util (ofbiz-base.jar)
                -> bsh                                                not found
                -> com.ibm.icu.text                                   not found
                -> com.ibm.icu.util                                   not found
                -> com.thoughtworks.xstream                           not found
                -> com.thoughtworks.xstream.converters                not found
                -> com.thoughtworks.xstream.io                        not found
                -> groovy.lang                                        not found
                -> java.io
                -> java.lang
                -> java.lang.ref
                -> java.lang.reflect
                -> java.math
                -> java.net
                -> java.nio
                -> java.nio.charset
                -> java.rmi.server
                -> java.security
                -> java.security.cert
                -> java.security.spec
                -> java.sql
                -> java.text
                -> java.util
                -> java.util.concurrent
                -> java.util.concurrent.atomic
                -> java.util.regex
                -> javax.naming
                -> javax.net.ssl
                -> javax.script
                -> javax.security.auth.x500
                -> javax.security.cert
                -> javax.servlet                                      not found
                -> javax.servlet.http                                 not found
                -> javax.xml.parsers
                -> javax.xml.transform
                -> javax.xml.transform.dom
                -> javax.xml.transform.stream
                -> org.apache.bsf                                     not found
                -> org.apache.bsf.util                                not found
                -> org.apache.commons.codec                           not found
                -> org.apache.commons.codec.binary                    not found
                -> org.apache.commons.io                              not found
                -> org.apache.commons.lang                            not found
                -> org.apache.commons.validator.routines              not found
                -> org.apache.logging.log4j                           not found
                -> org.apache.oro.text.regex                          not found
                -> org.apache.xerces.parsers                          not found
                -> org.apache.xerces.xni                              not found
                -> org.codehaus.groovy.control                        not found
                -> org.codehaus.groovy.runtime                        not found
                -> org.ofbiz.base.component                           ofbiz-base.jar
                -> org.ofbiz.base.config                              ofbiz-base.jar
                -> org.ofbiz.base.conversion                          ofbiz-base.jar
                -> org.ofbiz.base.lang                                ofbiz-base.jar
                -> org.ofbiz.base.location                            ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.ofbiz.base.util.collections                    ofbiz-base.jar
                -> org.ofbiz.base.util.string                         ofbiz-base.jar
                -> org.owasp.esapi.codecs                             not found
                -> org.w3c.dom
                -> org.w3c.dom.bootstrap
                -> org.w3c.dom.ls
                -> org.xml.sax
                -> org.xml.sax.helpers
             org.ofbiz.base.util.cache (ofbiz-base.jar)
                -> com.googlecode.concurrentlinkedhashmap             not found
                -> java.io
                -> java.lang
                -> java.util
                -> java.util.concurrent
                -> java.util.concurrent.atomic
                -> jdbm                                               not found
                -> jdbm.helper                                        not found
                -> jdbm.htree                                         not found
                -> jdbm.recman                                        not found
                -> org.ofbiz.base.concurrent                          ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
             org.ofbiz.base.util.collections (ofbiz-base.jar)
                -> java.io
                -> java.lang
                -> java.util
                -> java.util.concurrent.atomic
                -> javax.el                                           not found
                -> javax.servlet                                      not found
                -> javax.servlet.http                                 not found
                -> org.ofbiz.base.lang                                ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.ofbiz.base.util.string                         ofbiz-base.jar
             org.ofbiz.base.util.string (ofbiz-base.jar)
                -> de.odysseus.el                                     not found
                -> de.odysseus.el.misc                                not found
                -> de.odysseus.el.tree                                not found
                -> de.odysseus.el.tree.impl                           not found
                -> de.odysseus.el.tree.impl.ast                       not found
                -> java.beans
                -> java.io
                -> java.lang
                -> java.lang.reflect
                -> java.math
                -> java.net
                -> java.sql
                -> java.text
                -> java.util
                -> javax.el                                           not found
                -> javax.xml.namespace
                -> javax.xml.transform
                -> javax.xml.transform.stream
                -> javax.xml.xpath
                -> org.apache.xerces.dom                              not found
                -> org.cyberneko.html.parsers                         not found
                -> org.ofbiz.base.lang                                ofbiz-base.jar
                -> org.ofbiz.base.location                            ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.ofbiz.base.util.collections                    ofbiz-base.jar
                -> org.w3c.dom
             org.ofbiz.base.util.template (ofbiz-base.jar)
                -> freemarker.cache                                   not found
                -> freemarker.core                                    not found
                -> freemarker.ext.beans                               not found
                -> freemarker.template                                not found
                -> java.io
                -> java.lang
                -> java.net
                -> java.util
                -> javax.servlet                                      not found
                -> javax.servlet.http                                 not found
                -> javax.xml.parsers
                -> javax.xml.transform
                -> javax.xml.transform.dom
                -> javax.xml.transform.sax
                -> javax.xml.transform.stream
                -> org.ofbiz.base.location                            ofbiz-base.jar
                -> org.ofbiz.base.util                                ofbiz-base.jar
                -> org.ofbiz.base.util.cache                          ofbiz-base.jar
                -> org.w3c.dom
                -> org.xml.sax
          

          Other ideas?

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited I reopen here to allow users to choose to not encode contents in *ContentWrapper classes as they already can with ContentWorker class using content.sanitize property. Actually I will use another content.encode property and will generalize by creating a new UtilCodec.HtmlEncoder.encodeOrNot() method and use it in *ContentWrapper classes. But the property should not in content application to not introduce a dependency from base, not sure where to put it apart in base itself (in a owasp.properties maybe) to avoid introducing a dependency in base wich is currently clean (does not depend on another OFBiz component): C:\projectASF-Mars\ofbiz\framework\base> "C:\Program Files\Java\jdk1.8.0_51\bin\jdeps" build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\jce.jar ofbiz-base.jar -> not found ofbiz-base.jar -> build\lib\ofbiz-base.jar ofbiz-base.jar -> C:\Program Files\Java\jdk1.8.0_51\jre\lib\rt.jar org.ofbiz.base.component (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.security -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.container ofbiz-base.jar -> org.ofbiz.base.location ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.string ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.concurrent (ofbiz-base.jar) -> java.lang -> java.util -> java.util.concurrent -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.config (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> java.util.concurrent -> javax.xml.parsers -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.container (ofbiz-base.jar) -> bsh not found -> java.io -> java.lang -> java.net -> java.rmi -> java.rmi.registry -> java.rmi.server -> java.util -> java.util.concurrent.atomic -> javax.xml.parsers -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.start not found -> org.ofbiz.base.util ofbiz-base.jar -> org.w3c.dom -> org.xml.sax org.ofbiz.base.conversion (ofbiz-base.jar) -> com.ibm.icu.util not found -> java.io -> java.lang -> java.lang.reflect -> java.math -> java.net -> java.nio -> java.nio.charset -> java.sql -> java.text -> java.util -> java.util.concurrent -> java.util.regex -> javax.sql.rowset.serial -> org.ofbiz.base.lang ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.crypto (ofbiz-base.jar) -> java.io -> java.lang -> java.nio.charset -> java.security -> java.security.spec -> java.util -> javax.crypto -> javax.crypto.spec -> org.apache.commons.codec.binary not found -> org.apache.commons.lang not found -> org.apache.shiro.crypto not found -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.lang (ofbiz-base.jar) -> com.fasterxml.jackson.databind not found -> java.io -> java.lang -> java.lang.annotation -> org.apache.commons.io not found -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.location (ofbiz-base.jar) -> java.io -> java.lang -> java.net -> java.util -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.metrics (ofbiz-base.jar) -> java.lang -> java.util -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom org.ofbiz.base.splash (ofbiz-base.jar) -> java.awt -> java.awt.image -> java.io -> java.lang -> org.ofbiz.base.start not found org.ofbiz.base.util (ofbiz-base.jar) -> bsh not found -> com.ibm.icu.text not found -> com.ibm.icu.util not found -> com.thoughtworks.xstream not found -> com.thoughtworks.xstream.converters not found -> com.thoughtworks.xstream.io not found -> groovy.lang not found -> java.io -> java.lang -> java.lang.ref -> java.lang.reflect -> java.math -> java.net -> java.nio -> java.nio.charset -> java.rmi.server -> java.security -> java.security.cert -> java.security.spec -> java.sql -> java.text -> java.util -> java.util.concurrent -> java.util.concurrent.atomic -> java.util.regex -> javax.naming -> javax.net.ssl -> javax.script -> javax.security.auth.x500 -> javax.security.cert -> javax.servlet not found -> javax.servlet.http not found -> javax.xml.parsers -> javax.xml.transform -> javax.xml.transform.dom -> javax.xml.transform.stream -> org.apache.bsf not found -> org.apache.bsf.util not found -> org.apache.commons.codec not found -> org.apache.commons.codec.binary not found -> org.apache.commons.io not found -> org.apache.commons.lang not found -> org.apache.commons.validator.routines not found -> org.apache.logging.log4j not found -> org.apache.oro.text.regex not found -> org.apache.xerces.parsers not found -> org.apache.xerces.xni not found -> org.codehaus.groovy.control not found -> org.codehaus.groovy.runtime not found -> org.ofbiz.base.component ofbiz-base.jar -> org.ofbiz.base.config ofbiz-base.jar -> org.ofbiz.base.conversion ofbiz-base.jar -> org.ofbiz.base.lang ofbiz-base.jar -> org.ofbiz.base.location ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.ofbiz.base.util.collections ofbiz-base.jar -> org.ofbiz.base.util.string ofbiz-base.jar -> org.owasp.esapi.codecs not found -> org.w3c.dom -> org.w3c.dom.bootstrap -> org.w3c.dom.ls -> org.xml.sax -> org.xml.sax.helpers org.ofbiz.base.util.cache (ofbiz-base.jar) -> com.googlecode.concurrentlinkedhashmap not found -> java.io -> java.lang -> java.util -> java.util.concurrent -> java.util.concurrent.atomic -> jdbm not found -> jdbm.helper not found -> jdbm.htree not found -> jdbm.recman not found -> org.ofbiz.base.concurrent ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar org.ofbiz.base.util.collections (ofbiz-base.jar) -> java.io -> java.lang -> java.util -> java.util.concurrent.atomic -> javax.el not found -> javax.servlet not found -> javax.servlet.http not found -> org.ofbiz.base.lang ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.ofbiz.base.util.string ofbiz-base.jar org.ofbiz.base.util.string (ofbiz-base.jar) -> de.odysseus.el not found -> de.odysseus.el.misc not found -> de.odysseus.el.tree not found -> de.odysseus.el.tree.impl not found -> de.odysseus.el.tree.impl.ast not found -> java.beans -> java.io -> java.lang -> java.lang.reflect -> java.math -> java.net -> java.sql -> java.text -> java.util -> javax.el not found -> javax.xml.namespace -> javax.xml.transform -> javax.xml.transform.stream -> javax.xml.xpath -> org.apache.xerces.dom not found -> org.cyberneko.html.parsers not found -> org.ofbiz.base.lang ofbiz-base.jar -> org.ofbiz.base.location ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.ofbiz.base.util.collections ofbiz-base.jar -> org.w3c.dom org.ofbiz.base.util.template (ofbiz-base.jar) -> freemarker.cache not found -> freemarker.core not found -> freemarker.ext.beans not found -> freemarker.template not found -> java.io -> java.lang -> java.net -> java.util -> javax.servlet not found -> javax.servlet.http not found -> javax.xml.parsers -> javax.xml.transform -> javax.xml.transform.dom -> javax.xml.transform.sax -> javax.xml.transform.stream -> org.ofbiz.base.location ofbiz-base.jar -> org.ofbiz.base.util ofbiz-base.jar -> org.ofbiz.base.util.cache ofbiz-base.jar -> org.w3c.dom -> org.xml.sax Other ideas?
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Proposed patch to resolve the issue Ingo reported on user ML. I have still to move the the content.sanitize property from content.properties to a new owasp.properties file in the base config, and to generalise its use.

          Show
          jacques.le.roux Jacques Le Roux added a comment - Proposed patch to resolve the issue Ingo reported on user ML. I have still to move the the content.sanitize property from content.properties to a new owasp.properties file in the base config, and to generalise its use.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Ha also only productsummary.ftl is changed in this patch, I'm sure other such cases exist OOTB

          Show
          jacques.le.roux Jacques Le Roux added a comment - Ha also only productsummary.ftl is changed in this patch, I'm sure other such cases exist OOTB
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Last patch: better solution which gets rid of the content.sanitize properties and rather propose a sanitizer PolicyFactory PERMISSIVE_POLICY as an example of extending the OOTB PolicyFactory which uses all safe policies supplied with the sanitizer.

          I thought about the changes like in productsummary.ftl line 85. I will not muck around with those but will rather rely on users's reports on not well rendered HTML (hint: we/they should use a productContentWrapper)

          Show
          jacques.le.roux Jacques Le Roux added a comment - Last patch: better solution which gets rid of the content.sanitize properties and rather propose a sanitizer PolicyFactory PERMISSIVE_POLICY as an example of extending the OOTB PolicyFactory which uses all safe policies supplied with the sanitizer. I thought about the changes like in productsummary.ftl line 85. I will not muck around with those but will rather rely on users's reports on not well rendered HTML (hint: we/they should use a productContentWrapper)
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          I will commit this patch in few days if nobody disagree about having a sanitizer inside UtilCoded class.

          Show
          jacques.le.roux Jacques Le Roux added a comment - I will commit this patch in few days if nobody disagree about having a sanitizer inside UtilCoded class.
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          The commit at revision: 1713634 in trunk completes and finalises this work

          Before closing, to safely backport in R14.12, I will need to backport the improvement from OFBIZ-6701 before. Else it will be insanely complicated. I will ask agreement on dev ML...

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited The commit at revision: 1713634 in trunk completes and finalises this work Before closing, to safely backport in R14.12, I will need to backport the improvement from OFBIZ-6701 before. Else it will be insanely complicated. I will ask agreement on dev ML...
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Because I got too much conflicts trying to merge both r1713634 and r1711578 in R14.12, I decided for now to be safe and to keep the state before r1713634 in R14.12. It's not optimal (it does not render correctly HTML code in content) but at least it is safe. Of course this can still be done, but I will not now so I close as later...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Because I got too much conflicts trying to merge both r1713634 and r1711578 in R14.12, I decided for now to be safe and to keep the state before r1713634 in R14.12. It's not optimal (it does not render correctly HTML code in content) but at least it is safe. Of course this can still be done, but I will not now so I close as later...
          Hide
          gdraperi gregory draperi added a comment -

          I wonder if a possible solution would be to encode everything and then decode only authorized patterns like:

          <b><img/></b> becomes <b><img/></b> and then we look and replace for authorized patterns

          "<b><img/></b>".replaceAll("<b>","<b>")

          What do you think?

          Show
          gdraperi gregory draperi added a comment - I wonder if a possible solution would be to encode everything and then decode only authorized patterns like: <b><img/></b> becomes <b><img/></b> and then we look and replace for authorized patterns "<b><img/></b>".replaceAll("<b>","<b>") What do you think?
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Sorry Gregory, I did not focus on this issue yet. I will try to have a look soon, thanks!

          Show
          jacques.le.roux Jacques Le Roux added a comment - Sorry Gregory, I did not focus on this issue yet. I will try to have a look soon, thanks!
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Temporarily reopening, I want this to be a sub-task of OFBIZ-1525

          Show
          jacques.le.roux Jacques Le Roux added a comment - Temporarily reopening, I want this to be a sub-task of OFBIZ-1525
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          OK, it was already part of OFBIZ-1525, I feel like mucking around :/

          Show
          jacques.le.roux Jacques Le Roux added a comment - OK, it was already part of OFBIZ-1525 , I feel like mucking around :/
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          Sorry gregory draperi, could you explain more your idea, where would you like to change things? An example might help, I guess.

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited Sorry gregory draperi , could you explain more your idea, where would you like to change things? An example might help, I guess.
          Hide
          gdraperi gregory draperi added a comment -

          Hum, there is a problem in my example.

          My idea is to still use the html encoder so for example "&" and ">" become & and > but then you apply a filter that will look for authorized tags like

          .replaceAll("&ltb&gt","<b>")

          So you are able to only authorize safe tags.

          Show
          gdraperi gregory draperi added a comment - Hum, there is a problem in my example. My idea is to still use the html encoder so for example "&" and ">" become & and > but then you apply a filter that will look for authorized tags like .replaceAll("&ltb&gt","<b>") So you are able to only authorize safe tags.

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development