Hi David and Jacques, Thanks for the clarification. As our system has historical data (more than 3 years) which contains html syntax, it would be really helpful for us if someone can point us to the central point where the encoding is done in OFBiz. In that case for our system we can customize the rendering base on some sort of configuration.
Regards, Rajib On Wed, May 20, 2009 at 2:49 AM, Jacques Le Roux < [email protected]> wrote: > Thanks for confirmation David, > > > Jacques > > From: "David E Jones" <[email protected]> > >> >> Many parts of the content component are a different issue than what Rajib >> was asking about. Some of that is meant to be web-oriented content, which >> is why many of the comment services have allow-html set to safe, and why >> much of the content output is encoded using the StringUtil.wrapString >> expression I mentioned below, or doing the same string wrapper in a >> renderer class or something. Any of the content output stuff that isn't >> doing that simply needs to be fixed. >> >> -David >> >> >> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote: >> >> Actually the problem I reported earlier is not about note, where I agree >>> it should be secured by default, but in content component. >>> Have a look for instance at >>> https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME >>> BTW you can't access this page on demo server. I guess because of >>> security reasons. >>> >>> Sorry I have no time do dig in deeper... >>> >>> Jacques >>> >>> >>> From: "David E Jones" <[email protected]> >>> >>>> This is how it is supposed to behave. Most user-entered data coming >>>> from the database should not have HTML in it as it creates a security >>>> risk. >>>> HTML in text fields should definitely not be allowed by customers, and >>>> only in special circumstances by employees. IMO this note field is >>>> somewhat on the line, but by default in the project the output of it >>>> should stay encoded (the default) and the input should not allow html >>>> (the default). The reason I see that is that HTML is not normally needed >>>> in notes, and even in this case that Rajib mentions it appears to be a >>>> work-around for data that should really go somewhere else (and really >>>> does >>>> go somewhere else). Workarounds and hacks are fine if people choose to >>>> use >>>> the system that way, but it's nice to NOT have them go back into the >>>> project... >>>> There have been dozens of discussions about how to have the output not >>>> be encoded, and there are a few examples in different parts of the >>>> project, including in the "promotiondetails.ftl" file in the order >>>> component, which this expression in particular: >>>> ${StringUtil.wrapString(productPromo.promoText?if_exists)} >>>> -David >>>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote: >>>> >>>>> Yes I saw also this issue while working with content. Could you >>>>> please open a Jira for that ? >>>>> I think that I have also sent a msg about that last week or so, but >>>>> not sure... >>>>> >>>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices >>>>> >>>>> Thanks >>>>> >>>>> Jacques >>>>> >>>>> From: "Rajib Khan" <[email protected]> >>>>> >>>>>> Hi, >>>>>> We are currently upgrading our system to release-0904. We noticed >>>>>> that ofbiz >>>>>> imposes security with HTML code input / output. >>>>>> *Input:* In our customized version of ofbiz we are using "allow- html" >>>>>> parameter to accept "html" for a specific service attribute. >>>>>> This allowed us to store html data in the database. >>>>>> <service name="createNote" engine="java" >>>>>> location="org.ofbiz.common.CommonServices" >>>>>> invoke="createNote"> >>>>>> .... >>>>>> .... >>>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/> >>>>>> ... >>>>>> </service> >>>>>> *Output: *But we found that on the screen HTML data is rendered as an >>>>>> encoded string and which in turn displays all the HTML code. >>>>>> Example: >>>>>> ====== >>>>>> code fragment in the ftl file: >>>>>> ... >>>>>> <td align="left" valign="top"> >>>>>> <div class="tabletext">${note.noteInfo?if_exists}</div> >>>>>> </td> >>>>>> ... >>>>>> dispaly on the browser: >>>>>> =============== >>>>>> "Shipping Destination Address:<br><b>Old address: </b>111 Commercial >>>>>> Rd, >>>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1" >>>>>> *Question:* >>>>>> How can the stored HTML data be rendered properly? Is there any >>>>>> configuration for rendering HTML data? >>>>>> Regards, >>>>>> Rajib >>>>>> >>>>>> >>>>> >>>> >>> >> >
