David,
thanks for your explanation and in general i agree with you. However we
should make an exception using the ofbiz type of fields. Any
'description' or 'name' type of field should have the default html-allow
set to safe in order to use the ">" and "<" characters.
example in the entity content:
<field name="contentName" type="name"></field>
<field name="description" type="description"></field>
or customer request:
<field name="custRequestName" type="name"></field>
<field name="description" type="description"></field>
My customers use these characters frequently.
Regards,
Hans
On Tue, 2009-05-19 at 09:40 -0600, David E Jones wrote:
> Many parts of the content component are a different issue than what
> Rajib was asking about. Some of that is meant to be web-oriented
> content, which is why many of the comment services have allow-html set
> to safe, and why much of the content output is encoded using the
> StringUtil.wrapString expression I mentioned below, or doing the same
> string wrapper in a renderer class or something. Any of the content
> output stuff that isn't doing that simply needs to be fixed.
>
> -David
>
>
> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>
> > Actually the problem I reported earlier is not about note, where I
> > agree it should be secured by default, but in content component.
> > Have a look for instance at
> > https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
> > BTW you can't access this page on demo server. I guess because of
> > security reasons.
> >
> > Sorry I have no time do dig in deeper...
> >
> > Jacques
> >
> >
> > From: "David E Jones" <[email protected]>
> >> This is how it is supposed to behave. Most user-entered data
> >> coming from the database should not have HTML in it as it creates
> >> a security risk.
> >> HTML in text fields should definitely not be allowed by customers,
> >> and only in special circumstances by employees. IMO this note
> >> field is somewhat on the line, but by default in the project the
> >> output of it should stay encoded (the default) and the input
> >> should not allow html (the default). The reason I see that is that
> >> HTML is not normally needed in notes, and even in this case that
> >> Rajib mentions it appears to be a work-around for data that should
> >> really go somewhere else (and really does go somewhere else).
> >> Workarounds and hacks are fine if people choose to use the system
> >> that way, but it's nice to NOT have them go back into the project...
> >> There have been dozens of discussions about how to have the output
> >> not be encoded, and there are a few examples in different parts of
> >> the project, including in the "promotiondetails.ftl" file in the
> >> order component, which this expression in particular:
> >> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
> >> -David
> >> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
> >>> Yes I saw also this issue while working with content. Could you
> >>> please open a Jira for that ?
> >>> I think that I have also sent a msg about that last week or so,
> >>> but not sure...
> >>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> From: "Rajib Khan" <[email protected]>
> >>>> Hi,
> >>>> We are currently upgrading our system to release-0904. We
> >>>> noticed that ofbiz
> >>>> imposes security with HTML code input / output.
> >>>> *Input:* In our customized version of ofbiz we are using "allow-
> >>>> html"
> >>>> parameter to accept "html" for a specific service attribute.
> >>>> This allowed us to store html data in the database.
> >>>> <service name="createNote" engine="java"
> >>>> location="org.ofbiz.common.CommonServices"
> >>>> invoke="createNote">
> >>>> ....
> >>>> ....
> >>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
> >>>> ...
> >>>> </service>
> >>>> *Output: *But we found that on the screen HTML data is rendered
> >>>> as an
> >>>> encoded string and which in turn displays all the HTML code.
> >>>> Example:
> >>>> ======
> >>>> code fragment in the ftl file:
> >>>> ...
> >>>> <td align="left" valign="top">
> >>>> <div class="tabletext">${note.noteInfo?if_exists}</div>
> >>>> </td>
> >>>> ...
> >>>> dispaly on the browser:
> >>>> ===============
> >>>> "Shipping Destination Address:<br><b>Old address: </b>111
> >>>> Commercial Rd,
> >>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
> >>>> *Question:*
> >>>> How can the stored HTML data be rendered properly? Is there any
> >>>> configuration for rendering HTML data?
> >>>> Regards,
> >>>> Rajib
> >>>>
> >>>
> >>
> >
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates
