Hi,
We are currently upgrading our system to release-0904. We noticed that ofbiz
imposes security with HTML code input / output.
*Input:* In our customized version of ofbiz we are using "allow-html"
parameter to accept "html" for a specific service attribute.
This allowed us to store html data in the database.
<service name="createNote" engine="java"
location="org.ofbiz.common.CommonServices" invoke="createNote">
....
....
<attribute name="note" type="String" mode="IN" allow-html="safe"/>
...
</service>
*Output: *But we found that on the screen HTML data is rendered as an
encoded string and which in turn displays all the HTML code.
Example:
======
code fragment in the ftl file:
...
<td align="left" valign="top">
<div class="tabletext">${note.noteInfo?if_exists}</div>
</td>
...
dispaly on the browser:
===============
"Shipping Destination Address:<br><b>Old address: </b>111 Commercial Rd,
Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
*Question:*
How can the stored HTML data be rendered properly? Is there any
configuration for rendering HTML data?
Regards,
Rajib
