Hi John, Sorry not to have noticed that. I read your message but I guess not completly and did not saw
> Another purpose for this function is to safeguard user input that is > later displayed in the browser. Surely a bad behaviour from an irrepressible instinctive repulsion to PHP word ;o) I'm also surprised that there is no equivalent in Java, not sure why though (any thought folks here ?) >From your side perhaps a better way would have been to post directly on >related Jira issues (I say that for future :o) http://issues.apache.org/jira/browse/OFBIZ-178 http://issues.apache.org/jira/browse/OFBIZ-260 Thus you could have posted a patch which is the preferred way to include code. Anyway this is great and our first pace to resolve this issue. I will commit your proposition ASAP Thanks John Jacques From: "John Martin" <[EMAIL PROTECTED]> > Hi Jacques, > > Ironically I posted this about a weekago and nobody responded to it. > I agree and think that nearly ANY text that originates from user input > should be made safe. Here is my earlier post: > > I'm looking to include a new method htmlSpecialChars into the > StringUtil class and am looking for feedback. > > While working on the DHL enhancement, I found the need for a method > similar to the PHP function htmlSpecialChars which allows you to > output HTML and XML to the browser so that it can be viewed. When > there are errors, the XML is being output to the screen but the > special chars ( <, >, &, ", and ' ) are not displayed. > > Another purpose for this function is to safeguard user input that is > later displayed in the browser. > > Here is a link to docs on the PHP function > http://us3.php.net/htmlspecialchars. > > Here's my implementation: > > /** > * Translates various HTML characters in a string so that the > string can be displayed in a browser safely > * <p> > * This function is useful in preventing user-supplied text from > containing HTML markup, such as in a message board or > * guest book application. The optional arguments doubleQuotes and > singleQuotes allow the control of the substitution of > * the quote characters. The default is to translate them with > the HTML equivalent. > * </p> > * The translations performed are: <ol> > * <li>'&' (ampersand) becomes '&' > * <li>'"' (double quote) becomes '"' when doubleQuotes is true. > * <li>''' (single quote) becomes ''' when singleQuotes is true. > * <li>'<' (less than) becomes '<' > * <li>'>' (greater than) becomes '>' > * <li>\n (Carriage Return) becomes '<br>gt;' > * </ol> > */ > public static String htmlSpecialChars(String html, boolean > doubleQuotes, boolean singleQuotes, boolean insertBR) { > html = StringUtil.replaceString(html, "&", "&s;"); > html = StringUtil.replaceString(html, "<", "<"); > html = StringUtil.replaceString(html, ">", ">"); > if (doubleQuotes) { > html = StringUtil.replaceString(html, "\"", """); > } > if (singleQuotes) { > html = StringUtil.replaceString(html, "'", "'"); > } > if (insertBR) { > html = StringUtil.replaceString(html, "\n", "<br>"); > } > > return html; > } > public static String htmlSpecialChars(String html) { > return htmlSpecialChars(html, true, true, true); > } > > Thanks, > > John
