Your second point makes sense to me, but I don't really know enough to comment, I'm not even sure what elements are considered safe.
Thanks Scott On 12/05/2009, at 4:33 PM, Hans Bakker wrote:
people would like to use the characters ">" and "<"is it perhaps a good idea to have all "description", "name" and perhapsother fields by default set to "safe" ? Regards Hans On Tue, 2009-05-12 at 16:24 +1200, Scott Gray wrote:Hi Hans Sorry if this is a stupid question, I haven't really looked in to the new html security stuff yet, but why would requestName contain html? Thanks Scott On 12/05/2009, at 3:20 PM, [email protected] wrote:Author: hansbak Date: Tue May 12 03:20:28 2009 New Revision: 773772 URL: http://svn.apache.org/viewvc?rev=773772&view=rev Log: allow safe html in customer request name and item content Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml Modified: ofbiz/trunk/applications/order/servicedef/ services_request.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=773772&r1=773771&r2=773772&view=diff = = = = = = = == = ====================================================================--- ofbiz/trunk/applications/order/servicedef/services_request.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services_request.xml Tue May 12 03:20:28 2009 @@ -42,6 +42,7 @@ <auto-attributes include="nonpk" mode="IN" optional="true"/> <attribute name="fromPartyId" type="String" mode="IN" optional="false"/> <auto-attributes include="all" mode="IN" entity- name="CustRequestItem" optional="true"/> + <override name="custRequestName" allow-html="safe"/> </service> <service name="updateCustRequest" engine="simple" default-entity- name="CustRequest" location="component://order/script/org/ofbiz/order/ request/CustRequestServices.xml" invoke="updateCustRequest" auth="true"> @@ -73,12 +74,14 @@ <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="custRequestItemSeqId" optional="true"/> + <override name="story" allow-html="safe"/> </service> <service name="updateCustRequestItem" engine="simple" default- entity-name="CustRequestItem" location="component://order/script/org/ofbiz/order/ request/CustRequestServices.xml" invoke="updateCustRequestItem" auth="true"> <description>Update a CustRequestItem record</description> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> + <override name="story" allow-html="safe"/> </service> <service name="copyCustRequestItem" default-entity- name="CustRequestItem" engine="simple" location="component://order/script/org/ofbiz/order/ request/CustRequestServices.xml" invoke="copyCustRequestItem" auth="true"> @@ -168,6 +171,7 @@ <attribute name="custRequestName" mode="IN" type="String" optional="true"/> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> <override name="content" allow-html="safe"/> + <override name="custRequestName" allow-html="safe"/> </service> <!-- custRequest content services -->-- Antwebsystems.com: Quality OFBiz services for competitive rates
smime.p7s
Description: S/MIME cryptographic signature
