ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 20:15:18 GMT
1st thing : OFBiz trunk no longer uses .properties files but .xml files
2d thing : we don't allow HTML in labels (actually there are still some, but it should not
at term apart some special cases like the 
famous CommonEmpty)

I think you will have to create a specific worker for that, ie no longer render your strings
but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
renderUiLabelMap returns a stringBuilder embedding the original String
I can see any other means maybe there are and someone will suggest you something easier.


From: "Stephen Rufle" <srufle@salmonllc.com>
> In the ftl I use
> Does this process get passed through some class that I can change and
> send a patch for? Then all properties could embed HTML
> Jacques Le Roux wrote:
>> As David explains below you have to embed the String you create (I
>> suppose reading the property) into a StringBuilder
>> Jacques
>> From: "Stephen Rufle" <srufle@salmonllc.com>
>>> I think I have a related issue to this. I have .properties files with
>>> table headings in them. I used to be able to put a br tag <br> in the
>>> content of my labels to break two words.
>>> ex.
>>> "Cust.<br>Order# "
>>> would turn into
>>> "
>>> Cust.
>>> Order#
>>> "
>>> on my display, now it sends it literally. How do I get the old behavior
>>> back?
>>> David E Jones wrote:
>>>> Have you been following the discussion on the mailing lists about the
>>>> XSS/etc prevention efforts?
>>>> As a general practice when you run into things like this you can
>>>> usually find your answer pretty quickly by looking at commit logs, and
>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>> you are trying to do. In this case, for example looking at the
>>>> productdetail screen and the groovy and ftl files that it uses will
>>>> give you an example of how to handle this now.
>>>> The important thing to know is that now all String objects are
>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>> it, just use anything other than a String object. The normal way to do
>>>> this is to create your script dynamically using a StringBuilder, and
>>>> then just leave it as a StringBuilder instead of calling toString() on
>>>> it before putting it in the context. Then it won't get HTML encoded...
>>>> On a side note, I know that the OOTB code isn't the best example of
>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>> file. If you are dynamically generating any sort of text a template
>>>> file is usually the best tool to use and results in the cleanest and
>>>> easiest to maintain code.
>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>>> the decision to do this general encoding is to encourage the practice
>>>> of using templates for what they are meant to be used for.
>>>> Best of luck,
>>>> -David
>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>> A precision :
>>>>> *** Error comes from Groovy
>>>>> Because I have the problem only with generated Javascript script with
>>>>> Groovy.
>>>>> An idea ?
>>>>> Thanks
>>>>> Eric
>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>>>>> To: <user@ofbiz.apache.org>
>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>> Hi,
>>>>> I updated my working copy
>>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>>> for my own application, Ecommerce is OK)
>>>>> Script tags are ok.
>>>>> Ex. in source :
>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>> Do you know where I can configure Freemarker ?
>>>>> In HTML head tag, some chars are parsed too.
>>>>> Eric
>>> -- 
>>> Stephen P Rufle
>>> srufle@salmonllc.com
>>> H1:480-626-8022
>>> H2:480-802-7173
>>> Yahoo IM: stephen_rufle
>>> AOL IM: stephen1rufle
> -- 
> Stephen P Rufle
> srufle@salmonllc.com
> H1:480-626-8022
> H2:480-802-7173
> Yahoo IM: stephen_rufle
> AOL IM: stephen1rufle

View raw message