ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ingo Wolfmayr <ingo.wolfm...@wolfix.at>
Subject AW: AW: AW: Render HTML markup in Freemarker
Date Sun, 08 Nov 2015 20:36:56 GMT
I created my own PERMISSIVE_POLICY, but I am not finished with it by now. 

I think putting the configuration into the base property would be a good idea. 

Thanks!

Ingo

-----Ursprüngliche Nachricht-----
Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com] 
Gesendet: Sonntag, 8. November 2015 14:03
An: user@ofbiz.apache.org
Betreff: Re: AW: AW: Render HTML markup in Freemarker

Thanks for feedback Ingo,

Did you define your own PERMISSIVE_POLICY or simply used the one I created?

I think I will anyway provide a base property to allow users using it without coding, with
a comment to explain it can be modified

Jacques


Le 08/11/2015 12:39, Ingo Wolfmayr a écrit :
> Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the
result I was expecting.
>
> Best regards,
> Ingo
>
> -----Ursprüngliche Nachricht-----
> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> Gesendet: Samstag, 7. November 2015 15:53
> An: user@ofbiz.apache.org
> Betreff: Re: AW: Render HTML markup in Freemarker
>
> I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties,
see my 2 last comments in OFBIZ-6669.
>
> HTH
>
> Jacques
>
> Le 07/11/2015 09:20, Jacques Le Roux a écrit :
>> Ingo,
>>
>> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
>>
>> As explained in OFBIZ-6669, contrary to what I did in ContentWorker 
>> class, when I before did the work on *ContentWrapper classes I did 
>> not use the sanitizer but only an encoder (either HTML or URL). Because I wrongly
supposed that only plain text was used there and certainly my lazy mind thought it was easier
because of the URL encoderType to also handle.
>>
>> When the encoderType is HTML, I now suggest we use the sanitizer in 
>> *ContentWrapper classes  For that I will enhance the UtilCodec class 
>> (if people disagree a sanitizer should be there, I will create a new 
>> UtilOwasp class)
>>
>> Beware though about the sanitizer. I'm not sure why but it might still remove the
ids and tags like "<center><table" (see OFBIZ-6669 description).
>> This is why content.sanitize property exists in content.properties. 
>> To generalise, this property will need to be moved in the base config, I guess in
an owasp.properties file.
>>
>> To be totally complete we should change *lines like* in 
>> productsummary.ftl line 85 to use an HTML content wrapper. I mean 
>> something like
>>
>> Index:
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> ===================================================================
>> ---
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> (revision 1712951)
>> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.f
>> +++ t
>> +++ l (working copy)
>> @@ -63,6 +63,7 @@
>>           <#assign prodCatMem = requestAttributes.productCategoryMember>
>>       </#if>
>>       <#assign smallImageUrl =
>> productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
>> +    <#assign productDescription =
>> + productContentWrapper.get("DESCRIPTION", "html")>
>>       <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
>>       <#-- end variable setup -->
>>       <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@
>>                   <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>"
alt="Small Image"/><br />
>>                   ${uiLabelMap.ProductProductId}   : ${product.productId!}<br
/>
>>                   ${uiLabelMap.ProductProductName} : ${product.productName!}<br
/>
>> -                ${uiLabelMap.CommonDescription}  : ${product.description!}
>> +                ${uiLabelMap.CommonDescription}  :
>> + ${productDescription!}
>>                 </td>
>>               </tr>
>>             </table>
>>
>> I hope I'm clear now, see my proposed patch at OFBIZ-6669
>>
>> Jacques
>>
>>
>> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
>>> Hi Jacques,
>>>
>>> thanks for the quick answer.
>>>
>>> Just for me to understand :) :
>>>
>>> I have the following content from DB: <p>Test</p> Shouldn't the 
>>> sanatizer remove/sanatize tags that are not in the allow policy? So 
>>> from my understanding with the example "<p>Test</p>" it should 
>>> result in "" if the p-tag is not allowed. My result is that the 
>>> whole tag is rendered as text with the markup-tag <p>
>>>
>>> Best regards,
>>> Ingo
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
>>> Gesendet: Freitag, 6. November 2015 16:32
>>> An: user@ofbiz.apache.org
>>> Betreff: Re: Render HTML markup in Freemarker
>>>
>>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>>>
>>> I see only one solution: use also the content.sanitize properties 
>>> from content.properties (here you want it false) in *ContentWrapper classes (where
the content is encoded).
>>> This also means that you are then assuming your code is sensible to 
>>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility
to users, once they are aware of what they are doing.
>>>
>>> I will code that soon...
>>>
>>> Jacques
>>>
>>>
>>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>>>> Hi everybody,
>>>>
>>>> I am trying to display text content with embedded HTML markup tags:
>>>>
>>>> <p>Test</p>
>>>>
>>>> I tried
>>>> ${productContentWrapper.get("DESCRIPTION","html")
>>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>>>> ))
>>>>
>>>> For some reason it does print the text including the markup tags.
>>>>
>>>> I use the most current trunk. I have some project running on 13.07 doing
just the same - there it works fine. As I could not find anything online:
>>>> did I miss something in the configuration.
>>>>
>>>> Thanks for any hint.
>>>> Best regards
>>>> Ingo
>>>>
>

Mime
View raw message