Many parts of the content component are a different issue than what
Rajib was asking about. Some of that is meant to be web-oriented
content, which is why many of the comment services have allow-html set
to safe, and why much of the content output is encoded using the
StringUtil.wrapString expression I mentioned below, or doing the same
string wrapper in a renderer class or something. Any of the content
output stuff that isn't doing that simply needs to be fixed.
-David
On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
Actually the problem I reported earlier is not about note, where I
agree it should be secured by default, but in content component.
Have a look for instance at
https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
BTW you can't access this page on demo server. I guess because of
security reasons.
Sorry I have no time do dig in deeper...
Jacques
From: "David E Jones" <[email protected]>
This is how it is supposed to behave. Most user-entered data
coming from the database should not have HTML in it as it creates
a security risk.
HTML in text fields should definitely not be allowed by customers,
and only in special circumstances by employees. IMO this note
field is somewhat on the line, but by default in the project the
output of it should stay encoded (the default) and the input
should not allow html (the default). The reason I see that is that
HTML is not normally needed in notes, and even in this case that
Rajib mentions it appears to be a work-around for data that should
really go somewhere else (and really does go somewhere else).
Workarounds and hacks are fine if people choose to use the system
that way, but it's nice to NOT have them go back into the project...
There have been dozens of discussions about how to have the output
not be encoded, and there are a few examples in different parts of
the project, including in the "promotiondetails.ftl" file in the
order component, which this expression in particular:
${StringUtil.wrapString(productPromo.promoText?if_exists)}
-David
On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
Yes I saw also this issue while working with content. Could you
please open a Jira for that ?
I think that I have also sent a msg about that last week or so,
but not sure...
http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
Thanks
Jacques
From: "Rajib Khan" <[email protected]>
Hi,
We are currently upgrading our system to release-0904. We
noticed that ofbiz
imposes security with HTML code input / output.
*Input:* In our customized version of ofbiz we are using "allow-
html"
parameter to accept "html" for a specific service attribute.
This allowed us to store html data in the database.
<service name="createNote" engine="java"
location="org.ofbiz.common.CommonServices"
invoke="createNote">
....
....
<attribute name="note" type="String" mode="IN" allow-html="safe"/>
...
</service>
*Output: *But we found that on the screen HTML data is rendered
as an
encoded string and which in turn displays all the HTML code.
Example:
======
code fragment in the ftl file:
...
<td align="left" valign="top">
<div class="tabletext">${note.noteInfo?if_exists}</div>
</td>
...
dispaly on the browser:
===============
"Shipping Destination Address:<br><b>Old address: </b>111
Commercial Rd,
Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
*Question:*
How can the stored HTML data be rendered properly? Is there any
configuration for rendering HTML data?
Regards,
Rajib
