Status/Resolution/Reason: Closed/Fixed/
Reporter/Name(from Bugbase): David Mitchell / David Mitchell (David Mitchell)
Created: 06/01/2016
Components: Security
Versions: 11.0
Failure Type: Data Corruption
Found In Build/Fixed In Build: CF11_Final /
Priority/Frequency: Major / All users will encounter
Locale/System: English / Windows 10 64 bit
Vote Count: 0
Related Bugs:
CF-4160218 - Similar to
Problem Description:
The version of Antisamy which ships with CF11 is 1.4.4. This version was released in early 2011 (see: http://mvnrepository.com/artifact/org.owasp.antisamy/antisamy). The latest version is 1.5.3.
Version 1.4.4 of this lib has a couple of issues, the most egregious of these is the encoding of characters after the scan method is run. Characters such as the smart quote (’, rsquo), some characters with diacritics (ä, auml) and smart dashes (–, ndash). (Note this list is not exhaustive)
Steps to Reproduce:
<cfscript>
sanitizer = createObject("java", "org.owasp.validator.html.AntiSamy");
policy = "C:\ColdFusion11\cfusion\lib\antisamy-basic.xml";
rs = ["–", "’", "é", "ä", "õ"];
for (r in rs){
writeOutput("<br><br>before");
writeDump(r);
writeOutput("<br>safe");
writeDump( getSafeHTML(r) );
r = variables.sanitizer.scan(toString(r), variables.policy).getCleanHTML();
writeOutput("<br>cleanhtml");
writeDump(r);
}
</cfscript>
Actual Result:
the html encoded values are returned
Expected Result:
the text, unaltered should be returned
Any Workarounds:
We have replaced the antisamy-1.4.4.jar file with the 1.5.3 version
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 4160212
External Customer Info:
External Company:
External Customer Name: David Mitchell
External Customer Email:
External Test Config: My Hardware and Environment details:Attachments:
Comments: