A issue(https://issues.apache.org/jira/browse/OFBIZ-2645) is that default value
of allow-html is very restrictive.
This is as per start with most constrained best practice in security
Default is allow-html="none"
It not only does not allow html but it also does not allow simple text like
"Tom's age is likely > Paul's age". '>' breaks.
allow-html="safe" also does not seem to work well. It does not allow well
formed html.
Here is a proposal:
HTML and descriptive text with characters like '>' should be allowable whenever
there is a description text input by user.
Change services that deal with description/comments/reason/noteInfo fields to
have allow-html="any"
An example of this is 'updateWorkEffortNote' service. it could change from
<service name="updateWorkEffortNote" engine="simple"
location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml"
invoke="updateWorkEffortNote" auth="true">
<description>Update a WorkEffort Note</description>
<attribute name="workEffortId" type="String" mode="IN"
optional="false"/>
<attribute name="noteId" type="String" mode="IN" optional="false"/>
<attribute name="internalNote" type="String" mode="IN"
optional="false"/>
<attribute name="noteInfo" type="String" mode="IN" optional="true"/>
</service>
to
<service name="updateWorkEffortNote" engine="simple"
location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml"
invoke="updateWorkEffortNote" auth="true">
<description>Update a WorkEffort Note</description>
<attribute name="workEffortId" type="String" mode="IN"
optional="false"/>
<attribute name="noteId" type="String" mode="IN" optional="false"/>
<attribute name="internalNote" type="String" mode="IN"
optional="false"/>
<attribute name="noteInfo" type="String" mode="IN" optional="true"
allow-html="any"/>
</service>
if this seems acceptable, i can send patches with services for review and
commits.
Harmeet
