ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 21:15:44 GMT
Ok, it's late here so don't expect an answer before some hours...
Which Release.revision are you using, trunk I guess ?

Jacques
PS : see also my suggestion about StringHtmlWrapperForFtl, and maybe make it works for you
;o)

From: "Stephen Rufle" <srufle@salmonllc.com>
> Ok, If I convert to using XXX.xml instead of XXX.properties will be able
> to embed the HTML, or is the general rule that no properties are allowed
> to have HTML in them otherwise they get encoded on the way out to the
> screen?
> 
> Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to
> work from
> 
> so what used to be
> 
> XXX.properties
> keyName=some text to the screen
> 
> XXX.xml - I am assuming that I have to have at least one xml:lang="en"
> as a value
> <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>    <property key="keyName">
>        <value xml:lang="en">some text to the screen</value>
>    </property>
> </resource>
> 
> 
> Jacques Le Roux wrote:
>> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
>> 2d thing : we don't allow HTML in labels (actually there are still
>> some, but it should not at term apart some special cases like the
>> famous CommonEmpty)
>>
>> I think you will have to create a specific worker for that, ie no
>> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>> but using something like
>> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
>> where renderUiLabelMap returns a stringBuilder embedding the original
>> String
>> I can see any other means maybe there are and someone will suggest you
>> something easier.
>>
>> Jacques
>>
>> From: "Stephen Rufle" <srufle@salmonllc.com>
>>> In the ftl I use
>>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>>
>>> Does this process get passed through some class that I can change and
>>> send a patch for? Then all properties could embed HTML
>>>
>>> Jacques Le Roux wrote:
>>>> As David explains below you have to embed the String you create (I
>>>> suppose reading the property) into a StringBuilder
>>>>
>>>> Jacques
>>>>
>>>> From: "Stephen Rufle" <srufle@salmonllc.com>
>>>>> I think I have a related issue to this. I have .properties files with
>>>>> table headings in them. I used to be able to put a br tag <br>
in the
>>>>> content of my labels to break two words.
>>>>>
>>>>> ex.
>>>>> "Cust.<br>Order# "
>>>>> would turn into
>>>>> "
>>>>> Cust.
>>>>> Order#
>>>>> "
>>>>> on my display, now it sends it literally. How do I get the old
>>>>> behavior
>>>>> back?
>>>>>
>>>>> David E Jones wrote:
>>>>>>
>>>>>> Have you been following the discussion on the mailing lists about
the
>>>>>> XSS/etc prevention efforts?
>>>>>>
>>>>>> As a general practice when you run into things like this you can
>>>>>> usually find your answer pretty quickly by looking at commit logs,
>>>>>> and
>>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>>> you are trying to do. In this case, for example looking at the
>>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>>> give you an example of how to handle this now.
>>>>>>
>>>>>> The important thing to know is that now all String objects are
>>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>>> it, just use anything other than a String object. The normal way
>>>>>> to do
>>>>>> this is to create your script dynamically using a StringBuilder,
and
>>>>>> then just leave it as a StringBuilder instead of calling
>>>>>> toString() on
>>>>>> it before putting it in the context. Then it won't get HTML
>>>>>> encoded...
>>>>>>
>>>>>> On a side note, I know that the OOTB code isn't the best example
of
>>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>>> file. If you are dynamically generating any sort of text a template
>>>>>> file is usually the best tool to use and results in the cleanest
and
>>>>>> easiest to maintain code.
>>>>>>
>>>>>> And as a bonus, you'll avoid this encoding issue too. In fact,
>>>>>> part of
>>>>>> the decision to do this general encoding is to encourage the practice
>>>>>> of using templates for what they are meant to be used for.
>>>>>>
>>>>>> Best of luck,
>>>>>> -David
>>>>>>
>>>>>>
>>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>>
>>>>>>> A precision :
>>>>>>>
>>>>>>> *** Error comes from Groovy
>>>>>>> Because I have the problem only with generated Javascript script
>>>>>>> with
>>>>>>> Groovy.
>>>>>>>
>>>>>>> An idea ?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Eric
>>>>>>> ----- Original Message ----- From: "Eric DE MAULDE"
>>>>>>> <ericjob@free.fr>
>>>>>>> To: <user@ofbiz.apache.org>
>>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I updated my working copy
>>>>>>>
>>>>>>> *** Now all javascript are parsed to HTML (and appear in screen,
>>>>>>> just
>>>>>>> for my own application, Ecommerce is OK)
>>>>>>> Script tags are ok.
>>>>>>> Ex. in source :
>>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>>> Do you know where I can configure Freemarker ?
>>>>>>>
>>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>>
>>>>>>> Eric
>>>>>>
>>>>>>
>>>>>>
>


Mime
View raw message