Implemented: Create and use an OWASP PolicyFactory for content sanitization 
in ContentWorker for Birt Report Builder
(OFBIZ-9166)

This is still an incomplete feature because I did not find yet a way to complete
the BIRT_REPORT_BUILDER_USAGE_POLICY and had to bypass the sanitization for this
case, WIP...

This commit has no effect on OFBiz yet.

I need to commit this now to continue to work on the main task: OFBIZ-6919
"New implementation of Birt. Easier user possibility of report creation". 







git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk@1777451 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java b/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java
index 049e6eb..f891e01 100644
--- a/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java
+++ b/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java
@@ -335,18 +335,22 @@
             String mimeTypeId, boolean cache) throws GeneralException, IOException {
         Writer writer = new StringWriter();
         renderContentAsText(dispatcher, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache);
+        GenericValue content = EntityQuery.use(dispatcher.getDelegator()).from("Content").where("contentId", contentId).queryOne();
+        String contentTypeId = content.getString("contentTypeId");
         String rendered = writer.toString();
         // According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
         // Normally head is protected by X-XSS-Protection Response Header by default
-        if (rendered.contains("<script>")
-                || rendered.contains("<!--")
-                || rendered.contains("<div")
-                || rendered.contains("<style>")
-                || rendered.contains("<span")
-                || rendered.contains("<input")
-                || rendered.contains("<iframe")
-                || rendered.contains("<a")) {
-            rendered = encoder.sanitize(rendered);
+        if (!"REPORT".equals(contentTypeId)) { // FIXME here BIRT_REPORT_BUILDER_USAGE_POLICY should be used but I could not tweak it yet: the content of <script> are removed and should not. Also a more annoying no yet spotted issue with contentId dissapearing
+            if (rendered.contains("<script>")
+                    || rendered.contains("<!--")
+                    || rendered.contains("<div")
+                    || rendered.contains("<style>")
+                    || rendered.contains("<span")
+                    || rendered.contains("<input")
+                    || rendered.contains("<iframe")
+                    || rendered.contains("<a")) {
+                rendered = encoder.sanitize(rendered, contentTypeId);
+            }
         }
         return rendered; 
     }
diff --git a/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java b/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java
index e6c3bbd..2e4b5cb 100644
--- a/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java
+++ b/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java
@@ -111,7 +111,7 @@
             if (UtilValidate.isEmpty(outString)) {
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (orderContentCache != null) {
                 orderContentCache.put(cacheKey, outString);
             }
diff --git a/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java b/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java
index 984acb0..4dbb12c 100644
--- a/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java
+++ b/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java
@@ -168,7 +168,7 @@
                 outString = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (partyContentCache != null) {
                 partyContentCache.put(cacheKey, outString);
             }
@@ -176,11 +176,11 @@
         } catch (GeneralException e) {
             Debug.logError(e, "Error rendering PartyContent, inserting empty String", module);
             String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         } catch (IOException e) {
             Debug.logError(e, "Error rendering PartyContent, inserting empty String", module);
             String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         }
     }
 
diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java b/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java
index 8bc9d70..ad728be 100644
--- a/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java
+++ b/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java
@@ -110,7 +110,7 @@
                 outString = productCategory.getModelEntity().isField(candidateFieldName) ? productCategory.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (categoryContentCache != null) {
                 categoryContentCache.put(cacheKey, outString);
             }
diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java b/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java
index 415b182..96ed13a 100644
--- a/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java
+++ b/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java
@@ -133,7 +133,7 @@
                 outString = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (configItemContentCache != null) {
                 configItemContentCache.put(cacheKey, outString);
             }
@@ -141,11 +141,11 @@
         } catch (GeneralException e) {
             Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module);
             String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         } catch (IOException e) {
             Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module);
             String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         }
     }
 
diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java
index 0911ec4..c70a9e7 100644
--- a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java
+++ b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java
@@ -123,7 +123,7 @@
                 outString = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (productContentCache != null) {
                 productContentCache.put(cacheKey, outString);
             }
@@ -131,11 +131,11 @@
         } catch (GeneralException e) {
             Debug.logError(e, "Error rendering ProductContent, inserting empty String", module);
             String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         } catch (IOException e) {
             Debug.logError(e, "Error rendering ProductContent, inserting empty String", module);
             String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         }
     }
 
diff --git a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java
index 5fcc368..bc4ab5f 100644
--- a/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java
+++ b/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java
@@ -128,7 +128,7 @@
                 outString = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (productPromoContentCache != null) {
                 productPromoContentCache.put(cacheKey, outString);
             }
@@ -136,11 +136,11 @@
         } catch (GeneralException e) {
             Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module);
             String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         } catch (IOException e) {
             Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module);
             String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         }
     }
 
diff --git a/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java b/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java
index 975ecfe..b56e820 100644
--- a/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java
+++ b/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java
@@ -256,7 +256,7 @@
                 outString = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
                 outString = outString == null? "" : outString;
             }
-            outString = encoder.sanitize(outString);
+            outString = encoder.sanitize(outString, null);
             if (workEffortContentCache != null) {
                 workEffortContentCache.put(cacheKey, outString);
             }
@@ -264,11 +264,11 @@
         } catch (GeneralException e) {
             Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module);
             String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         } catch (IOException e) {
             Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module);
             String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
-            return candidateOut == null? "" : encoder.sanitize(candidateOut);
+            return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
         }
     }
 
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 65bee31..5a63bf7 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -60,7 +60,11 @@
 
     public static interface SimpleEncoder {
         public String encode(String original);
-        public String sanitize(String outString); // Only really useful with HTML, else simply calls encode() method 
+        /**
+         * @deprecated Use {@link #sanitize(String,String)} instead
+         */
+        public String sanitize(String outString); // Only really useful with HTML, else it simply calls encode() method 
+        public String sanitize(String outString, String contentTypeId); // Only really useful with HTML, else it simply calls encode() method 
     }
 
     public static interface SimpleDecoder {
@@ -76,26 +80,70 @@
             }
             return htmlCodec.encode(IMMUNE_HTML, original);
         }
+        /**
+         * @deprecated Use {@link #sanitize(String,String)} instead
+         */
         public String sanitize(String original) {
+            return sanitize(original, null);
+        }
+        public String sanitize(String original, String contentTypeId) {
             if (original == null) {
                 return null;
             }
             PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
-            if (UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.permissive.policy", false)) {
+
+            if (UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.permissive.policy", false)) {// TODO to be improved to use a (or several) contentTypeId/s if possible 
                 sanitizer = sanitizer.and(PERMISSIVE_POLICY);
             }
+            if ("REPORT_MASTER".equals(contentTypeId)) {
+                sanitizer = sanitizer.and(BIRT_REPORT_BUILDER_GENERATION_POLICY);
+            }
+            if ("REPORT".equals(contentTypeId)) {
+                sanitizer = sanitizer.and(BIRT_REPORT_BUILDER_USAGE_POLICY);
+            }
             return sanitizer.sanitize(original);
         }
         // Given as an example based on rendering cmssite as it was before using the sanitizer.
         // To use the PERMISSIVE_POLICY set sanitizer.permissive.policy to true. 
-        // Note that I was unable to render </html> and </body>. I guess because are <html> and <body> are not sanitized in 1st place (else the sanitizer makes some damages I found)
+        // Note that I was unable to render </html> and </body>. I guess because <html> and <body> are not sanitized in 1st place (else the sanitizer makes some damages I found)
         // You might even want to adapt the PERMISSIVE_POLICY to your needs... Be sure to check https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet before...
         public static final PolicyFactory PERMISSIVE_POLICY = new HtmlPolicyBuilder()
+                .allowWithoutAttributes("html", "body")
                 .allowAttributes("id", "class").globally()
-                .allowElements("html", "body", "div", "center", "span", "table", "td")
+                .allowElements("div", "center", "span", "table", "td")
                 .allowWithoutAttributes("html", "body", "div", "span", "table", "td")
                 .allowAttributes("width").onElements("table")
                 .toFactory();
+        // This is the PolicyFactory used for the Birt Report Builder generation feature ("REPORT_MASTER" contentTypeId)
+        // It allows to create the OOTB Birt Report Builder example.
+        // You might need to enhance it for your needs but normally you should not
+        // In any case be sure to check https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet before changing things here...
+        public static final PolicyFactory BIRT_REPORT_BUILDER_GENERATION_POLICY = new HtmlPolicyBuilder()
+                .allowWithoutAttributes("html", "body")
+                .allowElements("div", "span", "table", "tr", "td")
+                .allowElements("form", "input", "textarea", "label", "select", "option")
+                .allowAttributes("id", "class", "name", "value", "onclick").globally()
+                .allowAttributes("width", "cellspacing").onElements("table")
+                .allowAttributes("type", "size", "maxlength").onElements("input")
+                .allowAttributes("cols", "rows").onElements("textarea")
+                .allowAttributes("class").onElements("td")
+                .allowAttributes("method").onElements("form")
+                .toFactory();
+        // This is the PolicyFactory used for the Birt Report Builder usage feature.  ("REPORT" contentTypeId)
+        // It allows to use the OOTB Birt Report Builder example.
+        // You might need to enhance it for your needs but normally you should not
+        // In any case be sure to check https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet before changing things here...
+        public static final PolicyFactory BIRT_REPORT_BUILDER_USAGE_POLICY = new HtmlPolicyBuilder()
+                .allowWithoutAttributes("html", "body")
+                .allowElements("div", "span", "table", "tr", "td", "script")
+                .allowElements("form", "input", "textarea", "label", "select", "option")
+                .allowAttributes("id", "class", "name", "value", "onclick").globally()
+                .allowAttributes("width", "cellspacing").onElements("table")
+                .allowAttributes("type", "size", "maxlength").onElements("input")
+                .allowAttributes("cols", "rows").onElements("textarea")
+                .allowAttributes("class").onElements("td")
+                .allowAttributes("method", "onsubmit").onElements("form")
+                .toFactory();
     }
 
     public static class XmlEncoder implements SimpleEncoder {
@@ -107,7 +155,13 @@
                }
                return xmlCodec.encode(IMMUNE_XML, original);
         }
+        /**
+         * @deprecated Use {@link #sanitize(String,String)} instead
+         */
         public String sanitize(String original) {
+            return sanitize(original, null);
+        }
+        public String sanitize(String original, String contentTypeId) {
             return encode(original);
         }
     }
@@ -121,7 +175,13 @@
                 return null;
             }
         }
+        /**
+         * @deprecated Use {@link #sanitize(String,String)} instead
+         */
         public String sanitize(String original) {
+            return sanitize(original, null);
+        }
+        public String sanitize(String original, String contentTypeId) {
             return encode(original);
         }
 
@@ -143,7 +203,13 @@
             }
             return original;
         }
+        /**
+         * @deprecated Use {@link #sanitize(String,String)} instead
+         */
         public String sanitize(String original) {
+            return sanitize(original, null);
+        }
+        public String sanitize(String original, String contentTypeId) {
             return encode(original);
         }
     }