Depending on what you mean by "countermeasures" that may be exactly
what you're looking for.
The idea is that with FTL files ALL String variables are HTML encoded
in order to avoid XSS problems (like you mentioned) and also to avoid
misinterpreted output.
When a variable is meant to have HTML in it and you don't want it
encoded (not the default, but certainly acceptable in some cases) then
you should use the StringUtil.wrapString() call, like in the example
you've probably found:
<div>${StringUtil.wrapString(productPromo.promoText?if_exists)}</div>
What would be nice is if there was some more obvious way to do this,
like if FTL had a built-in to tell it NOT to do HTML encoding that we
could override to do this same things (ie like promoText?no_html), but
there's only so much we can do with it.
-David
On Jun 10, 2009, at 8:06 PM, juddco wrote:
WARNING: I am a newbie, so some of this may seem pretty disjointed.
I've been going through the "Apache OFBiz Development: The Beginners
Tutorial" book. I know that my first problem was that the book is
written
for the release 4.0, and I'm working in 9.04. I thought resolving the
discrepancies would be a valuable part of my education.
Here's the problem I'm dealing with: My HTML tags are showing up
when they
shouldn't be. I'm smart enough to figure out that this relates the
to XSS
countermeasures that you guys are rolling out. I've been searching
the
forums, but all I find for guidance is a bunch of threads about how to
suppress the countermeasures (I'll admit that I probably don't have
the
vocabulary to search intelligently). I don't want to do that; I
just want
to figure out how to make it work the way you've designed it.
Can someone PLEASE walk me through a real-world example? I went
into the
OOTB code looking for a model and found that the blog capability in
the
ecommerce app hasn't been retrofitted yet - the HTML tags are
showing up in
"Big Al's" blog just like they do in my practice app.
I'm asking for one of two things: Please either tell me the steps I
would
take to fix Big Al's blog or direct me to a comparable file where I
can do
side-by-side comparison of new world (literals escaped) vs. old
world (Big
Al).
Thank you very much in advance for any help you can provide.
Judd
--
View this message in context:
http://www.nabble.com/XSS-Exploit-Countermeasures---Escaping-Characters-tp23974171p23974171.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
