ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Rufle <sru...@salmonllc.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 17:28:52 GMT
I think I have a related issue to this. I have .properties files with
table headings in them. I used to be able to put a br tag <br> in the
content of my labels to break two words.

ex.
"Cust.<br>Order# "
would turn into
"
Cust.
Order#
"
on my display, now it sends it literally. How do I get the old behavior
back?

David E Jones wrote:
>
> Have you been following the discussion on the mailing lists about the
> XSS/etc prevention efforts?
>
> As a general practice when you run into things like this you can
> usually find your answer pretty quickly by looking at commit logs, and
> by looking at code in OOTB OFBiz that does something similar to what
> you are trying to do. In this case, for example looking at the
> productdetail screen and the groovy and ftl files that it uses will
> give you an example of how to handle this now.
>
> The important thing to know is that now all String objects are
> automatically HTML encoded (using the OWASP ESAPI library). To avoid
> it, just use anything other than a String object. The normal way to do
> this is to create your script dynamically using a StringBuilder, and
> then just leave it as a StringBuilder instead of calling toString() on
> it before putting it in the context. Then it won't get HTML encoded...
>
> On a side note, I know that the OOTB code isn't the best example of
> this, but usually it is best to generate your JavaScript in the FTL
> file. If you are dynamically generating any sort of text a template
> file is usually the best tool to use and results in the cleanest and
> easiest to maintain code.
>
> And as a bonus, you'll avoid this encoding issue too. In fact, part of
> the decision to do this general encoding is to encourage the practice
> of using templates for what they are meant to be used for.
>
> Best of luck,
> -David
>
>
> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>
>> A precision :
>>
>> *** Error comes from Groovy
>> Because I have the problem only with generated Javascript script with
>> Groovy.
>>
>> An idea ?
>>
>> Thanks
>>
>> Eric
>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>> To: <user@ofbiz.apache.org>
>> Sent: Monday, February 16, 2009 6:24 PM
>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>
>>
>> Hi,
>>
>> I updated my working copy
>>
>> *** Now all javascript are parsed to HTML (and appear in screen, just
>> for my own application, Ecommerce is OK)
>> Script tags are ok.
>> Ex. in source :
>> &lt;script language&#61;&quot;JavaScript&quot;
>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>> Do you know where I can configure Freemarker ?
>>
>> In HTML head tag, some chars are parsed too.
>>
>> Eric
>
>
>

-- 
Stephen P Rufle
srufle@salmonllc.com
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle


Mime
View raw message