Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@ofbiz.apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Message-ID: <72D5AC98887F46B7977EA7BFC52A039A@inspiron530>
Reply-To: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
From: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
To: <user@ofbiz.apache.org>
References: <B06133E537F04238ABAB8D2266585EE3@ericlaptop>
 <C37E59BB384D45D8BB155F109ECB13DC@ericlaptop>
 <745AC027-3AC2-4EB1-A8D9-5915E8C7BB6E@hotwaxmedia.com>
 <49AEBA54.50703@salmonllc.com> <990B29FD961F4C85AFE72D825815FD23@inspiron530>
 <49AECC23.9040700@salmonllc.com>
 <449C918DC1FE4946AD3F07B819820E7B@inspiron530>
Subject: Re: Javascript is parsed to HTML (Freemarker ?)
Date: Wed, 4 Mar 2009 22:11:42 +0100
Organization: Les Arts Informatiques
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=response
Content-Transfer-Encoding: 7bit

Maybe an option for you is to try to comment out lines 71-73 of HtmlWidget.java

Jacques

From: "Jacques Le Roux" <jacques.le.roux@les7arts.com>
> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
> 2d thing : we don't allow HTML in labels (actually there are still some, but it should not at term apart some special cases like 
> the famous CommonEmpty)
>
> I think you will have to create a specific worker for that, ie no longer render your strings as 
> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
> but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where 
> renderUiLabelMap returns a stringBuilder embedding the original String
> I can see any other means maybe there are and someone will suggest you something easier.
>
> Jacques
>
> From: "Stephen Rufle" <srufle@salmonllc.com>
>> In the ftl I use
>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>
>> Does this process get passed through some class that I can change and
>> send a patch for? Then all properties could embed HTML
>>
>> Jacques Le Roux wrote:
>>> As David explains below you have to embed the String you create (I
>>> suppose reading the property) into a StringBuilder
>>>
>>> Jacques
>>>
>>> From: "Stephen Rufle" <srufle@salmonllc.com>
>>>> I think I have a related issue to this. I have .properties files with
>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>> content of my labels to break two words.
>>>>
>>>> ex.
>>>> "Cust.<br>Order# "
>>>> would turn into
>>>> "
>>>> Cust.
>>>> Order#
>>>> "
>>>> on my display, now it sends it literally. How do I get the old behavior
>>>> back?
>>>>
>>>> David E Jones wrote:
>>>>>
>>>>> Have you been following the discussion on the mailing lists about the
>>>>> XSS/etc prevention efforts?
>>>>>
>>>>> As a general practice when you run into things like this you can
>>>>> usually find your answer pretty quickly by looking at commit logs, and
>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>> you are trying to do. In this case, for example looking at the
>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>> give you an example of how to handle this now.
>>>>>
>>>>> The important thing to know is that now all String objects are
>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>> it, just use anything other than a String object. The normal way to do
>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>> then just leave it as a StringBuilder instead of calling toString() on
>>>>> it before putting it in the context. Then it won't get HTML encoded...
>>>>>
>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>> file. If you are dynamically generating any sort of text a template
>>>>> file is usually the best tool to use and results in the cleanest and
>>>>> easiest to maintain code.
>>>>>
>>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>>>> the decision to do this general encoding is to encourage the practice
>>>>> of using templates for what they are meant to be used for.
>>>>>
>>>>> Best of luck,
>>>>> -David
>>>>>
>>>>>
>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>
>>>>>> A precision :
>>>>>>
>>>>>> *** Error comes from Groovy
>>>>>> Because I have the problem only with generated Javascript script with
>>>>>> Groovy.
>>>>>>
>>>>>> An idea ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Eric
>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <ericjob@free.fr>
>>>>>> To: <user@ofbiz.apache.org>
>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I updated my working copy
>>>>>>
>>>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>>>> for my own application, Ecommerce is OK)
>>>>>> Script tags are ok.
>>>>>> Ex. in source :
>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>> Do you know where I can configure Freemarker ?
>>>>>>
>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>
>>>>>> Eric
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Stephen P Rufle
>>>> srufle@salmonllc.com
>>>> H1:480-626-8022
>>>> H2:480-802-7173
>>>> Yahoo IM: stephen_rufle
>>>> AOL IM: stephen1rufle
>>>>
>>>
>>>
>>>
>>
>> -- 
>> Stephen P Rufle
>> srufle@salmonllc.com
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>>
>
>