[ https://issues.apache.org/jira/browse/OFBIZ-11686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17178482#comment-17178482 ]
Jacques Le Roux commented on OFBIZ-11686: ----------------------------------------- Kudos for the good work James! I understand that this is safe OOTB: {{crossDomain: true, // set to true to allow the file to be shown under browser's sources folder}} But could this not be used for attacks (just thiking aloud for now) > multi-block attribute for html-template tag > ------------------------------------------- > > Key: OFBIZ-11686 > URL: https://issues.apache.org/jira/browse/OFBIZ-11686 > Project: OFBiz > Issue Type: Improvement > Components: framework/widget > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: James Yong > Priority: Minor > Fix For: Trunk > > Attachments: OFBIZ-11686.patch, OFBIZ-11686.patch, OFBIZ-11686.patch > > > Propose a new <script-template> widget tag that adds an external script after > body tag. > The external script will contain the rendered result of the specified > template file location. > e.g. > {code:xml} > <html> > <script-template location="component://order/template/quote/test.ftl"/> > {code} > <platform-specific> > will render as: > {code:xml} > </body> > <script src=“/ordermgr/control/getJs?name=test” > type="application/javascript"/></script> > </html> > {code} > This will allow inline script from a freemarker file, to be rendered as > external script in html. > > Discussion was started at > [https://lists.apache.org/thread.html/r7f8db3a8f5de057c5c5ca6c00608e477acfeaf5507a20b72b8daa3a8%40%3Cdev.ofbiz.apache.org%3E] > > *15th May 2020* > While extracting the scripts from html-template to script-template and > testing the changes, I found the process to be cumbersome. > So I made a change not to use script-template tag but add a multi-block > attribute to html-template tag. > When *multi-block=true*, inline scripts will be extracted automatically from > script tag and converted to external script. > So no need to manually extract script from the existing freemarker template. > Coding for script-template tag is removed -- This message was sent by Atlassian Jira (v8.3.4#803005)