This is an automated email from the ASF dual-hosted git repository.
mridulpathak pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 9659f494aa Fixed: Order view page CSS leak from embedded email
communication content (OFBIZ-13390) (#1213)
9659f494aa is described below
commit 9659f494aa5a8d0f7aed7c7d280cd1f38b0e0999
Author: toaditi <[email protected]>
AuthorDate: Sat May 16 14:15:43 2026 +0530
Fixed: Order view page CSS leak from embedded email communication content
(OFBIZ-13390) (#1213)
## Summary
When a `CommunicationEvent` exists on an order, the `OrderConversations`
screen dumps the stored email HTML (a full `<!DOCTYPE html>` document,
with its own `<style>` block containing a global CSS reset) directly
inline into the order view page. Browsers parse that `<style>` at
document scope — not div scope — so the email's reset cascades into the
parent page and breaks the order layout: tables lose padding, the body
background changes, `.screenlet` styling is overridden, etc.
## Fix
Render the email body inside an `<iframe>` so its CSS lives in its own
document context and cannot leak. The stored content is
HTML-entity-encoded, so it's decoded client-side via a `<textarea>`
before being assigned to `srcdoc`.
One file changed:
`applications/party/template/party/DisplayCommunicationContent.ftl`.
## Test plan
- [ ] Open an order that has at least one communication event (e.g. send
an order confirmation email, then revisit the order view).
- [ ] Expand the "All Communication Events" section.
- [ ] Verify the email body renders inside a bordered iframe with the
email's own styling (heading, cards, items table).
- [ ] Verify the parent order view page styling is unaffected — tables,
padding, screenlets all render normally.
- [ ] Verify the iframe auto-resizes to fit the email content (`onload`
handler).
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
.../template/party/DisplayCommunicationContent.ftl | 23 ++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/applications/party/template/party/DisplayCommunicationContent.ftl
b/applications/party/template/party/DisplayCommunicationContent.ftl
index 53f555e6d7..a23fa5a519 100644
--- a/applications/party/template/party/DisplayCommunicationContent.ftl
+++ b/applications/party/template/party/DisplayCommunicationContent.ftl
@@ -18,7 +18,22 @@ under the License.
-->
-<#-- Display content in a specific div to avoid display conflicts -->
-<div style="margin-left: 14%;width:50% !important;">
- ${StringUtil.wrapString(childCommEvent.content!)}
-</div>
\ No newline at end of file
+<#-- iframe isolates the email's <style> block from the parent page. Stored
content is
+ HTML-entity-encoded, so decode it via a textarea before assigning to
srcdoc. -->
+<#assign iframeId = "commContent_" + childCommEvent.communicationEventId>
+<iframe id="${iframeId}"
+ sandbox="allow-same-origin"
+ style="width: 100%; min-height: 600px; border: 1px solid #ccc;
margin-left: 14%;"></iframe>
+<script type="text/javascript">
+ (function() {
+ var iframe = document.getElementById('${iframeId}');
+ iframe.onload = function() {
+ try {
+ this.style.height =
(this.contentWindow.document.documentElement.scrollHeight + 20) + 'px';
+ } catch (e) {}
+ };
+ var decoder = document.createElement('textarea');
+ decoder.innerHTML =
'${StringUtil.wrapString((childCommEvent.content!'')?js_string)}';
+ iframe.srcdoc = decoder.value;
+ })();
+</script>
\ No newline at end of file
