In the ftl I use
${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
Does this process get passed through some class that I can change and
send a patch for? Then all properties could embed HTML
Jacques Le Roux wrote:
> As David explains below you have to embed the String you create (I
> suppose reading the property) into a StringBuilder
>
> Jacques
>
> From: "Stephen Rufle" <[email protected]>
>> I think I have a related issue to this. I have .properties files with
>> table headings in them. I used to be able to put a br tag <br> in the
>> content of my labels to break two words.
>>
>> ex.
>> "Cust.<br>Order# "
>> would turn into
>> "
>> Cust.
>> Order#
>> "
>> on my display, now it sends it literally. How do I get the old behavior
>> back?
>>
>> David E Jones wrote:
>>>
>>> Have you been following the discussion on the mailing lists about the
>>> XSS/etc prevention efforts?
>>>
>>> As a general practice when you run into things like this you can
>>> usually find your answer pretty quickly by looking at commit logs, and
>>> by looking at code in OOTB OFBiz that does something similar to what
>>> you are trying to do. In this case, for example looking at the
>>> productdetail screen and the groovy and ftl files that it uses will
>>> give you an example of how to handle this now.
>>>
>>> The important thing to know is that now all String objects are
>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>> it, just use anything other than a String object. The normal way to do
>>> this is to create your script dynamically using a StringBuilder, and
>>> then just leave it as a StringBuilder instead of calling toString() on
>>> it before putting it in the context. Then it won't get HTML encoded...
>>>
>>> On a side note, I know that the OOTB code isn't the best example of
>>> this, but usually it is best to generate your JavaScript in the FTL
>>> file. If you are dynamically generating any sort of text a template
>>> file is usually the best tool to use and results in the cleanest and
>>> easiest to maintain code.
>>>
>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>> the decision to do this general encoding is to encourage the practice
>>> of using templates for what they are meant to be used for.
>>>
>>> Best of luck,
>>> -David
>>>
>>>
>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>
>>>> A precision :
>>>>
>>>> *** Error comes from Groovy
>>>> Because I have the problem only with generated Javascript script with
>>>> Groovy.
>>>>
>>>> An idea ?
>>>>
>>>> Thanks
>>>>
>>>> Eric
>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[email protected]>
>>>> To: <[email protected]>
>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I updated my working copy
>>>>
>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>> for my own application, Ecommerce is OK)
>>>> Script tags are ok.
>>>> Ex. in source :
>>>> <script language="JavaScript"
>>>> type="text/javascript"><!--
>>>> Do you know where I can configure Freemarker ?
>>>>
>>>> In HTML head tag, some chars are parsed too.
>>>>
>>>> Eric
>>>
>>>
>>>
>>
>> --
>> Stephen P Rufle
>> [email protected]
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>>
>
>
>
--
Stephen P Rufle
[email protected]
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle
