midsuit
/
core-jgi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

IDEMPIERE-3980

This commit is contained in:
Carlos Ruiz 2019-06-10 18:19:31 +02:00
parent 1f701bbced
commit 0451bf0b4f
6 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
org.adempiere.ui.zk/.classpath
View File

@ -9,5 +9,6 @@
<classpathentry kind="src" path="WEB-INF/src/"/>
<classpathentry exported="true" kind="lib" path="WEB-INF/lib/ckez.jar"/>
<classpathentry exported="true" kind="lib" path="WEB-INF/lib/daisydiff.jar"/>
<classpathentry exported="true" kind="lib" path="WEB-INF/lib/owasp-java-html-sanitizer.jar"/>
<classpathentry kind="output" path="target/classes"/>
</classpath>

3
org.adempiere.ui.zk/META-INF/MANIFEST.MF
View File

@ -55,7 +55,8 @@ Import-Package: groovy.transform.stc;version="2.4.7",
DynamicImport-Package: action.images
Bundle-ClassPath: .,
WEB-INF/lib/ckez.jar,
WEB-INF/lib/daisydiff.jar
WEB-INF/lib/daisydiff.jar,
WEB-INF/lib/owasp-java-html-sanitizer.jar
Export-Package: fi.jawsy.jawwa.zk.atmosphere,
metainfo.zk,
org.adempiere.webui,

2
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
View File

@ -194,7 +194,7 @@ public class WHtmlEditor extends WEditor implements ContextMenuListener
adwindowContent.hideBusyMask();
}
if (!dialog.isCancelled()) {
box.setContent(dialog.getText());
box.setContent(WTextEditorDialog.sanitize(dialog.getText()));
String newText = box.getContent();
ValueChangeEvent changeEvent = new ValueChangeEvent(WHtmlEditor.this, WHtmlEditor.this.getColumnName(), oldValue, newText);
WHtmlEditor.super.fireValueChange(changeEvent);

16
org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
View File

@ -28,6 +28,8 @@ import org.adempiere.webui.component.Window;
import org.adempiere.webui.theme.ThemeManager;
import org.adempiere.webui.util.ZKUpdateUtil;
import org.compiere.util.Language;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;
import org.zkforge.ckez.CKeditor;
import org.zkoss.zk.au.out.AuScript;
import org.zkoss.zk.ui.event.Event;
@ -48,7 +50,7 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
/**
*
*/
private static final long serialVersionUID = 1188165765430615546L;
private static final long serialVersionUID = -1857623453350849161L;
private boolean editable;
private int maxSize;
@ -186,7 +188,7 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
}
public void onEditorCallback(Event event) {
text = (String) event.getData();
text = sanitize((String) event.getData());
detach();
}
@ -264,4 +266,14 @@ public class WTextEditorDialog extends Window implements EventListener<Event>{
return text;
}
public static String sanitize(String untrustedHTML) {
final PolicyFactory policy = Sanitizers.BLOCKS
.and(Sanitizers.FORMATTING)
.and(Sanitizers.IMAGES)
.and(Sanitizers.LINKS)
.and(Sanitizers.STYLES)
.and(Sanitizers.TABLES);
return policy.sanitize(untrustedHTML);
}
}

1
org.adempiere.ui.zk/build.properties
View File

@ -35,6 +35,7 @@ bin.includes = META-INF/,\
pdf.js/,\
WEB-INF/lib/ckez.jar,\
WEB-INF/lib/daisydiff.jar,\
WEB-INF/lib/owasp-java-html-sanitizer.jar,\
.
src.includes = WEB-INF/tld/,\
WEB-INF/web.xml,\

5
org.adempiere.ui.zk/pom.xml
View File

@ -62,6 +62,11 @@
<artifactId>ckez</artifactId>
<version>4.7.0.0</version>
</artifactItem>
<artifactItem>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20190503.1</version>
</artifactItem>
</artifactItems>
<outputDirectory>WEB-INF/lib</outputDirectory>
<stripVersion>true</stripVersion>