There is a solution to this already in place, and it is used in a few
places. Take a look at the promotiondetails.ftl file, especially the
expression:
${StringUtil.wrapString(productPromo.promoText?if_exists)}
BTW, this should ONLY be used for very trusted fields, ie fields that
never have information that come from a non-trusted user.
As for the uiLabelMap expressions, I like the fact that all possible
HTML characters are encoded before sending it to the browser... it
encourages the best practice and at the same time avoids issues where
things come out in an unexpected way.
-David
On Mar 4, 2009, at 1:15 PM, Jacques Le Roux wrote:
1st thing : OFBiz trunk no longer uses .properties files but .xml
files
2d thing : we don't allow HTML in labels (actually there are still
some, but it should not at term apart some special cases like the
famous CommonEmpty)
I think you will have to create a specific worker for that, ie no
longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
but using something like
Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("$
{uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where renderUiLabelMap
returns a stringBuilder embedding the original String
I can see any other means maybe there are and someone will suggest
you something easier.
Jacques
From: "Stephen Rufle" <sru...@salmonllc.com>
In the ftl I use
${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
Does this process get passed through some class that I can change and
send a patch for? Then all properties could embed HTML
Jacques Le Roux wrote:
As David explains below you have to embed the String you create (I
suppose reading the property) into a StringBuilder
Jacques
From: "Stephen Rufle" <sru...@salmonllc.com>
I think I have a related issue to this. I have .properties files
with
table headings in them. I used to be able to put a br tag <br> in
the
content of my labels to break two words.
ex.
"Cust.<br>Order# "
would turn into
"
Cust.
Order#
"
on my display, now it sends it literally. How do I get the old
behavior
back?
David E Jones wrote:
Have you been following the discussion on the mailing lists
about the
XSS/etc prevention efforts?
As a general practice when you run into things like this you can
usually find your answer pretty quickly by looking at commit
logs, and
by looking at code in OOTB OFBiz that does something similar to
what
you are trying to do. In this case, for example looking at the
productdetail screen and the groovy and ftl files that it uses
will
give you an example of how to handle this now.
The important thing to know is that now all String objects are
automatically HTML encoded (using the OWASP ESAPI library). To
avoid
it, just use anything other than a String object. The normal way
to do
this is to create your script dynamically using a StringBuilder,
and
then just leave it as a StringBuilder instead of calling
toString() on
it before putting it in the context. Then it won't get HTML
encoded...
On a side note, I know that the OOTB code isn't the best example
of
this, but usually it is best to generate your JavaScript in the
FTL
file. If you are dynamically generating any sort of text a
template
file is usually the best tool to use and results in the cleanest
and
easiest to maintain code.
And as a bonus, you'll avoid this encoding issue too. In fact,
part of
the decision to do this general encoding is to encourage the
practice
of using templates for what they are meant to be used for.
Best of luck,
-David
On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
A precision :
*** Error comes from Groovy
Because I have the problem only with generated Javascript
script with
Groovy.
An idea ?
Thanks
Eric
----- Original Message ----- From: "Eric DE MAULDE" <eric...@free.fr
>
To: <user@ofbiz.apache.org>
Sent: Monday, February 16, 2009 6:24 PM
Subject: Javascript is parsed to HTML (Freemarker ?)
Hi,
I updated my working copy
*** Now all javascript are parsed to HTML (and appear in
screen, just
for my own application, Ecommerce is OK)
Script tags are ok.
Ex. in source :
<script language="JavaScript"
type="text/javascript"><!--
Do you know where I can configure Freemarker ?
In HTML head tag, some chars are parsed too.
Eric
--
Stephen P Rufle
sru...@salmonllc.com
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle
--
Stephen P Rufle
sru...@salmonllc.com
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle