Log Message: |
Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> https://issues.apache.org/jira/browse/OFBIZ-5254
After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any".
This
* Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward compatibility, else we could completely remove the misleading "safe". Note that "none" is the default.
* Replaces in services definition all allow-html="safe" by allow-html="any"
* Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log
|