[
https://issues.apache.org/jira/browse/OFBIZ-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12875809#action_12875809
]
Harmeet Bedi commented on OFBIZ-2645:
-------------------------------------
Ofbiz would not work if comments or description would be editable by a rich
text editor. This is a severe restriction.. but it is a matter of policy. As
secure as possible seems to be the policy.
Feel free to close, but this does limit functionality. That seems to be
tradeoff that project has taken.
> allow-html in service validation is too restrictive
> ---------------------------------------------------
>
> Key: OFBIZ-2645
> URL: https://issues.apache.org/jira/browse/OFBIZ-2645
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Harmeet Bedi
> Fix For: SVN trunk
>
> Attachments: allow-html.diff
>
>
> Service 'IN' parameters are validated. Default is allow-html='none'
> This filters out all the html chars. e.g one cannot set this text "Tom's age
> is likely > Paul's age"
> '>' is not allowed
> Rederers already escape html, so it may be best to keep validation
> alllow-html='any'. If service has a need to constrain, service should specify
> allow-html explicitly.
> Attaching patch. Please let me if this does not make sense.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
