ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Rufle <sru...@salmonllc.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 17:28:52 GMT
I think I have a related issue to this. I have .properties files with
table headings in them. I used to be able to put a br tag <br> in the
content of my labels to break two words.

"Cust.<br>Order# "
would turn into
on my display, now it sends it literally. How do I get the old behavior

David E Jones wrote:
> Have you been following the discussion on the mailing lists about the
> XSS/etc prevention efforts?
> As a general practice when you run into things like this you can
> usually find your answer pretty quickly by looking at commit logs, and
> by looking at code in OOTB OFBiz that does something similar to what
> you are trying to do. In this case, for example looking at the
> productdetail screen and the groovy and ftl files that it uses will
> give you an example of how to handle this now.
> The important thing to know is that now all String objects are
> automatically HTML encoded (using the OWASP ESAPI library). To avoid
> it, just use anything other than a String object. The normal way to do
> this is to create your script dynamically using a StringBuilder, and
> then just leave it as a StringBuilder instead of calling toString() on
> it before putting it in the context. Then it won't get HTML encoded...
> On a side note, I know that the OOTB code isn't the best example of
> this, but usually it is best to generate your JavaScript in the FTL
> file. If you are dynamically generating any sort of text a template
> file is usually the best tool to use and results in the cleanest and
> easiest to maintain code.
> And as a bonus, you'll avoid this encoding issue too. In fact, part of
> the decision to do this general encoding is to encourage the practice
> of using templates for what they are meant to be used for.
> Best of luck,
> -David
> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>> A precision :
>> *** Error comes from Groovy
>> Because I have the problem only with generated Javascript script with
>> Groovy.
>> An idea ?
>> Thanks
>> Eric
>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>> To: <user@ofbiz.apache.org>
>> Sent: Monday, February 16, 2009 6:24 PM
>> Subject: Javascript is parsed to HTML (Freemarker ?)
>> Hi,
>> I updated my working copy
>> *** Now all javascript are parsed to HTML (and appear in screen, just
>> for my own application, Ecommerce is OK)
>> Script tags are ok.
>> Ex. in source :
>> &lt;script language&#61;&quot;JavaScript&quot;
>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>> Do you know where I can configure Freemarker ?
>> In HTML head tag, some chars are parsed too.
>> Eric

Stephen P Rufle
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle

View raw message