ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 21:11:42 GMT
Maybe an option for you is to try to comment out lines 71-73 of HtmlWidget.java

Jacques

From: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
> 2d thing : we don't allow HTML in labels (actually there are still some, but it should
not at term apart some special cases like 
> the famous CommonEmpty)
>
> I think you will have to create a specific worker for that, ie no longer render your
strings as 
> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
> but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
where 
> renderUiLabelMap returns a stringBuilder embedding the original String
> I can see any other means maybe there are and someone will suggest you something easier.
>
> Jacques
>
> From: "Stephen Rufle" <srufle@salmonllc.com>
>> In the ftl I use
>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>
>> Does this process get passed through some class that I can change and
>> send a patch for? Then all properties could embed HTML
>>
>> Jacques Le Roux wrote:
>>> As David explains below you have to embed the String you create (I
>>> suppose reading the property) into a StringBuilder
>>>
>>> Jacques
>>>
>>> From: "Stephen Rufle" <srufle@salmonllc.com>
>>>> I think I have a related issue to this. I have .properties files with
>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>> content of my labels to break two words.
>>>>
>>>> ex.
>>>> "Cust.<br>Order# "
>>>> would turn into
>>>> "
>>>> Cust.
>>>> Order#
>>>> "
>>>> on my display, now it sends it literally. How do I get the old behavior
>>>> back?
>>>>
>>>> David E Jones wrote:
>>>>>
>>>>> Have you been following the discussion on the mailing lists about the
>>>>> XSS/etc prevention efforts?
>>>>>
>>>>> As a general practice when you run into things like this you can
>>>>> usually find your answer pretty quickly by looking at commit logs, and
>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>> you are trying to do. In this case, for example looking at the
>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>> give you an example of how to handle this now.
>>>>>
>>>>> The important thing to know is that now all String objects are
>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>> it, just use anything other than a String object. The normal way to do
>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>> then just leave it as a StringBuilder instead of calling toString() on
>>>>> it before putting it in the context. Then it won't get HTML encoded...
>>>>>
>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>> file. If you are dynamically generating any sort of text a template
>>>>> file is usually the best tool to use and results in the cleanest and
>>>>> easiest to maintain code.
>>>>>
>>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>>>> the decision to do this general encoding is to encourage the practice
>>>>> of using templates for what they are meant to be used for.
>>>>>
>>>>> Best of luck,
>>>>> -David
>>>>>
>>>>>
>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>
>>>>>> A precision :
>>>>>>
>>>>>> *** Error comes from Groovy
>>>>>> Because I have the problem only with generated Javascript script
with
>>>>>> Groovy.
>>>>>>
>>>>>> An idea ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Eric
>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>>>>>> To: <user@ofbiz.apache.org>
>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I updated my working copy
>>>>>>
>>>>>> *** Now all javascript are parsed to HTML (and appear in screen,
just
>>>>>> for my own application, Ecommerce is OK)
>>>>>> Script tags are ok.
>>>>>> Ex. in source :
>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>> Do you know where I can configure Freemarker ?
>>>>>>
>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>
>>>>>> Eric
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Stephen P Rufle
>>>> srufle@salmonllc.com
>>>> H1:480-626-8022
>>>> H2:480-802-7173
>>>> Yahoo IM: stephen_rufle
>>>> AOL IM: stephen1rufle
>>>>
>>>
>>>
>>>
>>
>> -- 
>> Stephen P Rufle
>> srufle@salmonllc.com
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>>
>
> 



Mime
View raw message