diff --git a/org.adempiere.ui.zk/.classpath b/org.adempiere.ui.zk/.classpath
index 6a9ce5244c..b58918e146 100644
--- a/org.adempiere.ui.zk/.classpath
+++ b/org.adempiere.ui.zk/.classpath
@@ -9,5 +9,6 @@
+
diff --git a/org.adempiere.ui.zk/META-INF/MANIFEST.MF b/org.adempiere.ui.zk/META-INF/MANIFEST.MF
index 6376ff9d1f..3bb82eb2bb 100644
--- a/org.adempiere.ui.zk/META-INF/MANIFEST.MF
+++ b/org.adempiere.ui.zk/META-INF/MANIFEST.MF
@@ -55,7 +55,8 @@ Import-Package: groovy.transform.stc;version="2.4.7",
DynamicImport-Package: action.images
Bundle-ClassPath: .,
WEB-INF/lib/ckez.jar,
- WEB-INF/lib/daisydiff.jar
+ WEB-INF/lib/daisydiff.jar,
+ WEB-INF/lib/owasp-java-html-sanitizer.jar
Export-Package: fi.jawsy.jawwa.zk.atmosphere,
metainfo.zk,
org.adempiere.webui,
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
index 4dea40686c..3dc308523f 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
@@ -194,7 +194,7 @@ public class WHtmlEditor extends WEditor implements ContextMenuListener
adwindowContent.hideBusyMask();
}
if (!dialog.isCancelled()) {
- box.setContent(dialog.getText());
+ box.setContent(WTextEditorDialog.sanitize(dialog.getText()));
String newText = box.getContent();
ValueChangeEvent changeEvent = new ValueChangeEvent(WHtmlEditor.this, WHtmlEditor.this.getColumnName(), oldValue, newText);
WHtmlEditor.super.fireValueChange(changeEvent);
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
index 3ee0513e6c..ea62e8ead3 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
@@ -28,6 +28,8 @@ import org.adempiere.webui.component.Window;
import org.adempiere.webui.theme.ThemeManager;
import org.adempiere.webui.util.ZKUpdateUtil;
import org.compiere.util.Language;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
import org.zkforge.ckez.CKeditor;
import org.zkoss.zk.au.out.AuScript;
import org.zkoss.zk.ui.event.Event;
@@ -48,7 +50,7 @@ public class WTextEditorDialog extends Window implements EventListener{
/**
*
*/
- private static final long serialVersionUID = 1188165765430615546L;
+ private static final long serialVersionUID = -1857623453350849161L;
private boolean editable;
private int maxSize;
@@ -186,7 +188,7 @@ public class WTextEditorDialog extends Window implements EventListener{
}
public void onEditorCallback(Event event) {
- text = (String) event.getData();
+ text = sanitize((String) event.getData());
detach();
}
@@ -264,4 +266,14 @@ public class WTextEditorDialog extends Window implements EventListener{
return text;
}
+ public static String sanitize(String untrustedHTML) {
+ final PolicyFactory policy = Sanitizers.BLOCKS
+ .and(Sanitizers.FORMATTING)
+ .and(Sanitizers.IMAGES)
+ .and(Sanitizers.LINKS)
+ .and(Sanitizers.STYLES)
+ .and(Sanitizers.TABLES);
+ return policy.sanitize(untrustedHTML);
+ }
+
}
diff --git a/org.adempiere.ui.zk/build.properties b/org.adempiere.ui.zk/build.properties
index 8f0c6267a2..aba88e9ea0 100644
--- a/org.adempiere.ui.zk/build.properties
+++ b/org.adempiere.ui.zk/build.properties
@@ -35,6 +35,7 @@ bin.includes = META-INF/,\
pdf.js/,\
WEB-INF/lib/ckez.jar,\
WEB-INF/lib/daisydiff.jar,\
+ WEB-INF/lib/owasp-java-html-sanitizer.jar,\
.
src.includes = WEB-INF/tld/,\
WEB-INF/web.xml,\
diff --git a/org.adempiere.ui.zk/pom.xml b/org.adempiere.ui.zk/pom.xml
index 9a5c585a2d..0170c5d605 100644
--- a/org.adempiere.ui.zk/pom.xml
+++ b/org.adempiere.ui.zk/pom.xml
@@ -62,6 +62,11 @@
ckez
4.7.0.0
+
+ com.googlecode.owasp-java-html-sanitizer
+ owasp-java-html-sanitizer
+ 20190503.1
+
WEB-INF/lib
true