ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: Javascript is parsed to HTML (Freemarker ?)
Date Wed, 04 Mar 2009 18:19:39 GMT
As David explains below you have to embed the String you create (I suppose reading the property)
into a StringBuilder

Jacques

From: "Stephen Rufle" <srufle@salmonllc.com>
>I think I have a related issue to this. I have .properties files with
> table headings in them. I used to be able to put a br tag <br> in the
> content of my labels to break two words.
> 
> ex.
> "Cust.<br>Order# "
> would turn into
> "
> Cust.
> Order#
> "
> on my display, now it sends it literally. How do I get the old behavior
> back?
> 
> David E Jones wrote:
>>
>> Have you been following the discussion on the mailing lists about the
>> XSS/etc prevention efforts?
>>
>> As a general practice when you run into things like this you can
>> usually find your answer pretty quickly by looking at commit logs, and
>> by looking at code in OOTB OFBiz that does something similar to what
>> you are trying to do. In this case, for example looking at the
>> productdetail screen and the groovy and ftl files that it uses will
>> give you an example of how to handle this now.
>>
>> The important thing to know is that now all String objects are
>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>> it, just use anything other than a String object. The normal way to do
>> this is to create your script dynamically using a StringBuilder, and
>> then just leave it as a StringBuilder instead of calling toString() on
>> it before putting it in the context. Then it won't get HTML encoded...
>>
>> On a side note, I know that the OOTB code isn't the best example of
>> this, but usually it is best to generate your JavaScript in the FTL
>> file. If you are dynamically generating any sort of text a template
>> file is usually the best tool to use and results in the cleanest and
>> easiest to maintain code.
>>
>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>> the decision to do this general encoding is to encourage the practice
>> of using templates for what they are meant to be used for.
>>
>> Best of luck,
>> -David
>>
>>
>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>
>>> A precision :
>>>
>>> *** Error comes from Groovy
>>> Because I have the problem only with generated Javascript script with
>>> Groovy.
>>>
>>> An idea ?
>>>
>>> Thanks
>>>
>>> Eric
>>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>>> To: <user@ofbiz.apache.org>
>>> Sent: Monday, February 16, 2009 6:24 PM
>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>
>>>
>>> Hi,
>>>
>>> I updated my working copy
>>>
>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>> for my own application, Ecommerce is OK)
>>> Script tags are ok.
>>> Ex. in source :
>>> &lt;script language&#61;&quot;JavaScript&quot;
>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>> Do you know where I can configure Freemarker ?
>>>
>>> In HTML head tag, some chars are parsed too.
>>>
>>> Eric
>>
>>
>>
> 
> -- 
> Stephen P Rufle
> srufle@salmonllc.com
> H1:480-626-8022
> H2:480-802-7173
> Yahoo IM: stephen_rufle
> AOL IM: stephen1rufle
>


Mime
View raw message