Hi,
Currently I'm planning to customize "StringUtil.java" with the following
modification for our system to render HTML screens.
Please let me know if this is not the right place to customize.
===========
public static class HtmlEncoder implements SimpleEncoder {
boolean encodeEnabled =
UtilProperties.propertyValueEqualsIgnoreCase("general.properties",
"html.encode.on", "Y");
public String encode(String original) {
if (encodeEnabled) {
return StringUtil.defaultWebEncoder.encodeForHTML(original);
}
Debug.logWarning("**** HTML encoding turned off! to enable
encoding set 'html.encode.on' to 'Y' in 'general.properties'", module);
return original;
}
}
===========
Regards,
Rajib
On Wed, May 20, 2009 at 9:57 AM, Rajib Khan <[email protected]> wrote:
> Hi David and Jacques,
>
> Thanks for the clarification. As our system has historical data (more than
> 3 years) which contains html syntax, it would be really helpful for us if
> someone can point us to the central point where the encoding is done in
> OFBiz. In that case for our system we can customize the rendering base on
> some sort of configuration.
>
> Regards,
> Rajib
>
>
>
>
> On Wed, May 20, 2009 at 2:49 AM, Jacques Le Roux <
> [email protected]> wrote:
>
>> Thanks for confirmation David,
>>
>>
>> Jacques
>>
>> From: "David E Jones" <[email protected]>
>>
>>>
>>> Many parts of the content component are a different issue than what
>>> Rajib was asking about. Some of that is meant to be web-oriented content,
>>> which is why many of the comment services have allow-html set to safe, and
>>> why much of the content output is encoded using the StringUtil.wrapString
>>> expression I mentioned below, or doing the same string wrapper in a
>>> renderer class or something. Any of the content output stuff that isn't
>>> doing that simply needs to be fixed.
>>>
>>> -David
>>>
>>>
>>> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>>>
>>> Actually the problem I reported earlier is not about note, where I
>>>> agree it should be secured by default, but in content component.
>>>> Have a look for instance at
>>>> https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
>>>> BTW you can't access this page on demo server. I guess because of
>>>> security reasons.
>>>>
>>>> Sorry I have no time do dig in deeper...
>>>>
>>>> Jacques
>>>>
>>>>
>>>> From: "David E Jones" <[email protected]>
>>>>
>>>>> This is how it is supposed to behave. Most user-entered data coming
>>>>> from the database should not have HTML in it as it creates a security
>>>>> risk.
>>>>> HTML in text fields should definitely not be allowed by customers, and
>>>>> only in special circumstances by employees. IMO this note field is
>>>>> somewhat on the line, but by default in the project the output of it
>>>>> should stay encoded (the default) and the input should not allow html
>>>>> (the default). The reason I see that is that HTML is not normally
>>>>> needed
>>>>> in notes, and even in this case that Rajib mentions it appears to be a
>>>>> work-around for data that should really go somewhere else (and really
>>>>> does
>>>>> go somewhere else). Workarounds and hacks are fine if people choose to
>>>>> use
>>>>> the system that way, but it's nice to NOT have them go back into the
>>>>> project...
>>>>> There have been dozens of discussions about how to have the output not
>>>>> be encoded, and there are a few examples in different parts of the
>>>>> project, including in the "promotiondetails.ftl" file in the order
>>>>> component, which this expression in particular:
>>>>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>>>>> -David
>>>>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>>>>>
>>>>>> Yes I saw also this issue while working with content. Could you
>>>>>> please open a Jira for that ?
>>>>>> I think that I have also sent a msg about that last week or so, but
>>>>>> not sure...
>>>>>>
>>>>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> From: "Rajib Khan" <[email protected]>
>>>>>>
>>>>>>> Hi,
>>>>>>> We are currently upgrading our system to release-0904. We noticed
>>>>>>> that ofbiz
>>>>>>> imposes security with HTML code input / output.
>>>>>>> *Input:* In our customized version of ofbiz we are using "allow-
>>>>>>> html"
>>>>>>> parameter to accept "html" for a specific service attribute.
>>>>>>> This allowed us to store html data in the database.
>>>>>>> <service name="createNote" engine="java"
>>>>>>> location="org.ofbiz.common.CommonServices"
>>>>>>> invoke="createNote">
>>>>>>> ....
>>>>>>> ....
>>>>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>>>>>> ...
>>>>>>> </service>
>>>>>>> *Output: *But we found that on the screen HTML data is rendered as
>>>>>>> an
>>>>>>> encoded string and which in turn displays all the HTML code.
>>>>>>> Example:
>>>>>>> ======
>>>>>>> code fragment in the ftl file:
>>>>>>> ...
>>>>>>> <td align="left" valign="top">
>>>>>>> <div class="tabletext">${note.noteInfo?if_exists}</div>
>>>>>>> </td>
>>>>>>> ...
>>>>>>> dispaly on the browser:
>>>>>>> ===============
>>>>>>> "Shipping Destination Address:<br><b>Old address: </b>111
>>>>>>> Commercial Rd,
>>>>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>>>>>> *Question:*
>>>>>>> How can the stored HTML data be rendered properly? Is there any
>>>>>>> configuration for rendering HTML data?
>>>>>>> Regards,
>>>>>>> Rajib
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
