buildbot failure in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a new failure on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2117 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 4bab66e5016c1dd758127bb9d5b5a4e136d03773 Blamelist: Jacques Le Roux BUILD FAILED: failed check testIntegration Sincerely, -The Buildbot
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 725c8543e0df45c011a0c645b0a57ce9a42fa61d Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:51:34 2021 +0200 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `alert(1)` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" Thanks: Xin Wang --- themes/common/template/macro/HtmlFormMacroLibrary.ftl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/themes/common/template/macro/HtmlFormMacroLibrary.ftl b/themes/common/template/macro/HtmlFormMacroLibrary.ftl index df6bce7..48bbc7d 100644 --- a/themes/common/template/macro/HtmlFormMacroLibrary.ftl +++ b/themes/common/template/macro/HtmlFormMacroLibrary.ftl @@ -816,7 +816,7 @@ Parameter: delegatorName, String, optional - name of the delegator in context. data-dialog-url="${linkUrl}" <#if text?has_content>data-dialog-title="${text}" <#if linkStyle?has_content>class="${linkStyle}"> -<#if description?has_content>${description} +<#if description?has_content>${description?html} <#else> class="${linkStyle}" href="${linkUrl}"<#if targetWindow?has_content> target="${targetWindow}" @@ -824,6 +824,6 @@ Parameter: delegatorName, String, optional - name of the delegator in context. <#if confirmation?has_content> data-confirm-message="${confirmation}" <#if id?has_content> id="${id}" <#if imgSrc?length == 0 && title?has_content> title="${title}"> - <#if imgSrc?has_content>${description} + <#if imgSrc?has_content>${description?html}
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit a99cbb53782cc5fd209184a2ef1031d150c43e0d Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:51:34 2021 +0200 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `alert(1)` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" Thanks: Xin Wang --- themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl index 22a912e..0c852d6 100644 --- a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl +++ b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl @@ -743,7 +743,7 @@ Parameter: delegatorName, String, optional - name of the delegator in context. data-dialog-url="${linkUrl}" <#if text?has_content>data-dialog-title="${text}" <#if linkStyle?has_content>class="${linkStyle}"> -<#if description?has_content>${description} +<#if description?has_content>${description?html} <#else> class="${linkStyle}" href="${linkUrl}"<#if targetWindow?has_content> target="${targetWindow}" @@ -751,6 +751,6 @@ Parameter: delegatorName, String, optional - name of the delegator in context. <#if confirmation?has_content> data-confirm-message="${confirmation}" <#if id?has_content> id="${id}" <#if imgSrc?length == 0 && title?has_content> title="${title}"> - <#if imgSrc?has_content>${description} + <#if imgSrc?has_content>${description?html}
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit bb254caddd08846e0c4e3bf6341a1e10d2321178 Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:57:51 2021 +0200 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) When trying to add a note to WorkEffort entity, I found that URL encoded characters are unescaped, which is not expected. e.g.: 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 2. Add a note with content: https://example.com/a%20link 3. After submission, it will turned to be: https://example.com/a link Thanks: Xin Wang for report and exchanges until solution I provided Conflicts: UtilHttp.java: removes unused OOTB checkURLforSpiders for simplification UtilValidate.java: replaces DEFAULT_EMPTY_OK simply by true --- .../java/org/apache/ofbiz/base/util/UtilHttp.java | 130 +++-- .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- 2 files changed, 82 insertions(+), 63 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java index 666316a..56c4e35 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java @@ -62,7 +62,6 @@ import org.apache.commons.fileupload.FileItem; import org.apache.commons.fileupload.FileUploadException; import org.apache.commons.fileupload.disk.DiskFileItemFactory; import org.apache.commons.fileupload.servlet.ServletFileUpload; -import org.apache.commons.fileupload.servlet.ServletRequestContext; import org.apache.commons.lang.RandomStringUtils; import org.apache.http.NameValuePair; import org.apache.http.client.utils.URLEncodedUtils; @@ -78,10 +77,6 @@ import org.apache.ofbiz.webapp.control.ConfigXMLReader; import org.apache.ofbiz.webapp.control.SameSiteFilter; import org.apache.ofbiz.webapp.event.FileUploadProgressListener; import org.apache.ofbiz.widget.renderer.VisualTheme; -import org.apache.oro.text.regex.MalformedPatternException; -import org.apache.oro.text.regex.Pattern; -import org.apache.oro.text.regex.PatternMatcher; -import org.apache.oro.text.regex.Perl5Matcher; import com.ibm.icu.util.Calendar; @@ -405,7 +400,30 @@ public final class UtilHttp { public static Map canonicalizeParameterMap(Map paramMap) { for (Map.Entry paramEntry: paramMap.entrySet()) { if (paramEntry.getValue() instanceof String) { -paramEntry.setValue(canonicalizeParameter((String) paramEntry.getValue())); +String paramEntries = (String) paramEntry.getValue(); +String[] stringValues = paramEntries.split(" "); +String params = ""; +// Handles textareas, see OFBIZ-12249 +if (stringValues.length > 0) { +for (String s : stringValues) { +// if the string contains only an URL beginning by http or ftp => no change to keep special chars +if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) { +params = params + s + " " ; +} else if (UtilValidate.isUrl(s) && !s.isEmpty()) { +// if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL +String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else +int start = s.indexOf(url); +String after = (String) s.subSequence(start + url.length(), s.length()); +params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " "; +} else { +// Simple string to canonicalize +params = params + canonicalizeParameter(s) + " "; +} +} +paramEntry.setValue(params.trim()); +} else { +paramEntry.setValue(canonicalizeParameter(paramEntries)); +} } else if (paramEntry.getValue() instanceof Collection) { List newList = new LinkedList<>(); for (String listEntry: UtilGenerics.checkCollection(paramEntry.getValue())) { @@ -1147,7 +1165,7 @@ public final class UtilHttp { response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, private"); // HTTP/1.1 response.setHeader("Pragma", "no-cache"); // HTTP/1.0
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 4bab66e5016c1dd758127bb9d5b5a4e136d03773 Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:57:51 2021 +0200 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) When trying to add a note to WorkEffort entity, I found that URL encoded characters are unescaped, which is not expected. e.g.: 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 2. Add a note with content: https://example.com/a%20link 3. After submission, it will turned to be: https://example.com/a link Thanks: Xin Wang for report and exchanges until solution I provided --- .../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +- .../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++ 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java index addcca8..6f040b4 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java @@ -42,6 +42,7 @@ import java.nio.ByteBuffer; import java.nio.charset.Charset; import java.sql.Timestamp; import java.time.LocalDateTime; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -60,6 +61,8 @@ import java.util.StringTokenizer; import java.util.TimeZone; import java.util.function.Function; import java.util.function.Predicate; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -401,7 +404,30 @@ public final class UtilHttp { public static Map canonicalizeParameterMap(Map paramMap) { for (Map.Entry paramEntry : paramMap.entrySet()) { if (paramEntry.getValue() instanceof String) { -paramEntry.setValue(canonicalizeParameter((String) paramEntry.getValue())); +String paramEntries = (String) paramEntry.getValue(); +String[] stringValues = paramEntries.split(" "); +String params = ""; +// Handles textareas, see OFBIZ-12249 +if (stringValues.length > 0) { +for (String s : stringValues) { +// if the string contains only an URL beginning by http or ftp => no change to keep special chars +if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) { +params = params + s + " " ; +} else if (UtilValidate.isUrl(s) && !s.isEmpty()) { +// if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL +String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else +int start = s.indexOf(url); +String after = (String) s.subSequence(start + url.length(), s.length()); +params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " "; +} else { +// Simple string to canonicalize +params = params + canonicalizeParameter(s) + " "; +} +} +paramEntry.setValue(params.trim()); +} else { +paramEntry.setValue(canonicalizeParameter(paramEntries)); +} } else if (paramEntry.getValue() instanceof Collection) { List newList = new LinkedList<>(); for (String listEntry : UtilGenerics.>cast(paramEntry.getValue())) { @@ -1692,4 +1718,29 @@ public final class UtilHttp { public static String getRowSubmitPrefix() { return ROW_SUBMIT_PREFIX; } + +// From https://stackoverflow.com/questions/1806017/extracting-urls-from-a-text-document-using-java-regular-expressions/1806161#answer-1806161 +// If you need more Internet top-level domains: https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains +public static List extractUrls(String input) { +List result = new ArrayList(); + +Pattern pattern = Pattern.compile( +"\\b(((ht|f)tp(s?)\\:\\/\\/|~\\/|\\/)|www.)" + +"(\\w+:\\w+@)?(([-\\w]+\\.)+(com|org|net|gov" + +"|mil|biz|info|mobi|name|aero|jobs|museum" + +
[ofbiz-framework] branch trunk updated (fe845e6 -> 4bab66e)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from fe845e6 Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new a99cbb5 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new 4bab66e Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +- .../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++ .../template/macro/HtmlFormMacroLibrary.ftl| 4 +- 3 files changed, 67 insertions(+), 3 deletions(-)
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit f0ee9218736fa98176d1712f62178b7359ccd6ab Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:57:51 2021 +0200 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) When trying to add a note to WorkEffort entity, I found that URL encoded characters are unescaped, which is not expected. e.g.: 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 2. Add a note with content: https://example.com/a%20link 3. After submission, it will turned to be: https://example.com/a link Thanks: Xin Wang for report and exchanges until solution I provided Conflicts: UtilHttp.java: removes unused OOTB checkURLforSpiders for simplification removes number of cases in setResponseBrowserDefaultSecurityHeaders not present in R17 --- .../java/org/apache/ofbiz/base/util/UtilHttp.java | 122 + .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- 2 files changed, 68 insertions(+), 69 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java index d489375..bee720f 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java @@ -76,10 +76,6 @@ import org.apache.ofbiz.webapp.control.ConfigXMLReader; import org.apache.ofbiz.webapp.control.SameSiteFilter; import org.apache.ofbiz.webapp.event.FileUploadProgressListener; import org.apache.ofbiz.widget.renderer.VisualTheme; -import org.apache.oro.text.regex.MalformedPatternException; -import org.apache.oro.text.regex.Pattern; -import org.apache.oro.text.regex.PatternMatcher; -import org.apache.oro.text.regex.Perl5Matcher; import com.ibm.icu.util.Calendar; @@ -403,7 +399,30 @@ public final class UtilHttp { public static Map canonicalizeParameterMap(Map paramMap) { for (Map.Entry paramEntry: paramMap.entrySet()) { if (paramEntry.getValue() instanceof String) { -paramEntry.setValue(canonicalizeParameter((String) paramEntry.getValue())); +String paramEntries = (String) paramEntry.getValue(); +String[] stringValues = paramEntries.split(" "); +String params = ""; +// Handles textareas, see OFBIZ-12249 +if (stringValues.length > 0) { +for (String s : stringValues) { +// if the string contains only an URL beginning by http or ftp => no change to keep special chars +if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) { +params = params + s + " " ; +} else if (UtilValidate.isUrl(s) && !s.isEmpty()) { +// if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL +String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else +int start = s.indexOf(url); +String after = (String) s.subSequence(start + url.length(), s.length()); +params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " "; +} else { +// Simple string to canonicalize +params = params + canonicalizeParameter(s) + " "; +} +} +paramEntry.setValue(params.trim()); +} else { +paramEntry.setValue(canonicalizeParameter(paramEntries)); +} } else if (paramEntry.getValue() instanceof Collection) { List newList = new LinkedList<>(); for (String listEntry: UtilGenerics.checkCollection(paramEntry.getValue())) { @@ -1138,7 +1157,7 @@ public final class UtilHttp { response.addHeader("Cache-Control", "post-check=0, pre-check=0, false"); response.setHeader("Pragma", "no-cache"); // HTTP/1.0 } - + public static void setResponseBrowserDefaultSecurityHeaders(HttpServletResponse resp, ConfigXMLReader.ViewMap viewMap) { // See https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers for details and how to test String xFrameOption = null; @@ -1167,31 +1186,15 @@ public final class UtilHttp { resp.addHeader("strict-transport-security", "max-age=31536000;
[ofbiz-framework] branch release18.12 updated (bbb25da -> bb254ca)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from bbb25da Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new 0c5fc36 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new bb254ca Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 130 +++-- .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- .../template/macro/HtmlFormMacroLibrary.ftl| 4 +- 3 files changed, 84 insertions(+), 65 deletions(-)
[ofbiz-framework] branch release17.12 updated (858cd36 -> f0ee921)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 858cd36 Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new 725c854 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new f0ee921 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 122 + .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- .../common/template/macro/HtmlFormMacroLibrary.ftl | 4 +- 3 files changed, 70 insertions(+), 71 deletions(-)
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 0c5fc36b594fe99a82a8236b06bdda9883367606 Author: Jacques Le Roux AuthorDate: Wed Jun 9 10:51:34 2021 +0200 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `alert(1)` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" Thanks: Xin Wang --- themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl index 0923033..b391727 100644 --- a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl +++ b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl @@ -710,7 +710,7 @@ Parameter: delegatorName, String, optional - name of the delegator in context. data-dialog-url="${linkUrl}" <#if text?has_content>data-dialog-title="${text}" <#if linkStyle?has_content>class="${linkStyle}"> -<#if description?has_content>${description} +<#if description?has_content>${description?html} <#else> class="${linkStyle}" href="${linkUrl}"<#if targetWindow?has_content> target="${targetWindow}" @@ -718,6 +718,6 @@ Parameter: delegatorName, String, optional - name of the delegator in context. <#if confirmation?has_content> data-confirm-message="${confirmation}" <#if id?has_content> id="${id}" <#if imgSrc?length == 0 && title?has_content> title="${title}"> - <#if imgSrc?has_content>${description} + <#if imgSrc?has_content>${description?html}