[jira] Commented: (OFBIZ-2231) Escaped ampersands in xml import need to be reencoded

Stephen Rufle (JIRA) Thu, 19 Mar 2009 08:58:17 -0700

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12683496#action_12683496
 ]


Stephen Rufle commented on OFBIZ-2231:
--------------------------------------


When  the following PostalAddress 
{code:xml}
<PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873" 
countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve"
 address2="100 Some Ave" address1="First&amp;Broadway"/>
{code} 

 is imported using the textarea  on /webtools/control/EntityImport the 
"fulltext" parameter ultimately gets encoded using

 {code}org.owasp.esapi.Encoder.canonicalize(String s, boolean flag){code}

After the call the embedded 
{code}"\&amp;" gets turned into "&"{code}

Then in 
{code}org.ofbiz.webtools.WebToolsServices.entityImport(DispatchContext, 
Map<String, ? extends Object>){code}
it needs to be undone to get the XML parser to be happy. Any XML parser will 
have issues with stray \& symbols. 
So I am not sure what the solution is. The security reasons for canonicalize 
call outweigh this issue, so I would 
not want to not canonicalize parameter values, but it seems to me that we have 
to undo whatever was done to this very specific parameter before it can be 
passed to the 
{code}
org.ofbiz.entity.util.EntitySaxReader.parse(String)
{code}
method 

So I would like to vote that my solution is suitable for this particular case
David: "... it will cause other problems in other scenarios ..."
Is the worry that there are other cases that we will need to handle xml being 
passed in a field and this same 
re-encoding will need to be done many different places.
 
My other proposed solution would be to create a new method that can be called 
on the text that turns it back into 
suitable XML for parsing.Where right now I guess I am just in-lining that 
functionality.


> Escaped  ampersands in xml import need to be reencoded
> ------------------------------------------------------
>
>                 Key: OFBIZ-2231
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2231
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>         Environment: Windows XP
>            Reporter: Stephen Rufle
>            Assignee: Jacques Le Roux
>             Fix For: SVN trunk
>
>         Attachments: 2009-03-06_WebToolsServices.patch
>
>
>  While trying to import
> {code:xml} 
> <PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873" 
> countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve"
>  address2="100 Some Ave" address1="First&amp;Broadway"/>
> {code} 
> got the following exception. I think that the recent security stuff encodes 
> the xml so it is no longer valid during the reader.parse call in 
> org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...) 
> My solution is to make a call to 
> {code}
> xmltext= StringUtil.replaceString(xmltext, "&", "\&amp;");
> {code}
> before reader.parse is called
> {code}
> An error occurred saving the data, rolling back transaction (true)
> Exception: org.xml.sax.SAXException
> Message: Error storing value
> ---- stack trace 
> ---------------------------------------------------------------
> org.ofbiz.entity.GenericEntityException: Error while inserting: 
> [GenericEntity:PartyRelationship]...
> javolution.xml.sax.XMLReaderImpl.parseAll(Unknown Source)
> javolution.xml.sax.XMLReaderImpl.parse(Unknown Source)
> org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:258)
> org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:209)
> org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(WebToolsServices.java:459)
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> java.lang.reflect.Method.invoke(Unknown Source)
> org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
> org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
> org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
> org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
> org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
> org.ofbiz.webtools.WebToolsServices.entityImport(WebToolsServices.java:203)
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> java.lang.reflect.Method.invoke(Unknown Source)
> org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
> org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
> org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
> org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
> org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
> org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:328)
> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:530)
> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:328)
> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:201)
> org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:77)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:259)
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> org.ofbiz.catalina.container.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:44)
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> java.lang.Thread.run(Unknown Source)
> ---------------------------------------------------------------
> {code}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (OFBIZ-2231) Escaped ampersands in xml import need to be reencoded

Reply via email to