Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6769

The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: 16.11.01
    • Component/s: None
    • Labels:
    • Flags:
      Patch
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The renderContentAsText method should configure text sanitizer by "sanitizer.permissive.policy" in owasp.properties. If electronic text contains javascript, the renderContentAsText method will remove some content.

      1. ofbiz-renderContentAsText.diff
        1 kB
        Supachai Chaima-ngua (Tor)

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        I reverted r1720100 at r1720147

        Show
        jacques.le.roux Jacques Le Roux added a comment - I reverted r1720100 at r1720147
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Mmm wait, It seems I was not waken enough this morning, I re-thought about that...

        This is not how sanitizer.permissive.policy is supposed to work. You are supposed to use sanitizer.permissive.policy=true in owasp.properties and provide your own PERMISSIVE_POLICY in HtmlEncoder.sanitize() (in UtilCodec.java). Not to use sanitizer.permissive.policy=true to bypass HtmlEncoder.sanitize()

        See https://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/PolicyFactory.html and OFBIZ-6669 for details

        So I will revert your change and close as invalid.

        Show
        jacques.le.roux Jacques Le Roux added a comment - Mmm wait, It seems I was not waken enough this morning, I re-thought about that... This is not how sanitizer.permissive.policy is supposed to work. You are supposed to use sanitizer.permissive.policy=true in owasp.properties and provide your own PERMISSIVE_POLICY in HtmlEncoder.sanitize() (in UtilCodec.java). Not to use sanitizer.permissive.policy=true to bypass HtmlEncoder.sanitize() See https://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/PolicyFactory.html and OFBIZ-6669 for details So I will revert your change and close as invalid.
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thanks Supachai,

        Your patch is in trunk r1720100

        As explained at OFBIZ-6669 I did not backport to R14.12 and older release but it's possible...

        Of course you would allow "<script>" in your permissive policy at your own risk...

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thanks Supachai, Your patch is in trunk r1720100 As explained at OFBIZ-6669 I did not backport to R14.12 and older release but it's possible... Of course you would allow "<script>" in your permissive policy at your own risk...

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            tortechnocom Supachai Chaima-ngua (Tor)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile