This post was updated on .
HI Guys,
How can I disable html encoding on output which was brought with new security implementation? Is there a way to do it in request map or screen definition? Thank you. Ideally, it would be something like an attribute for <response> node in controller.xml specifying whether we want or not to encode output. In my case I have ajax requests which return a piece of html but in new release it is all screwed up with auto-encoding. |
Administrator
|
Have a look at ServiceEventHandler.checkSecureParameter()
Jacques From: "masionas" <[hidden email]> > > HI Guys, > > How can I disable html encoding on output which was brought with new > security implementation? Is there a way to do it in request map or screen > definition? Thank you. > -- > View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by masionas
Could you be more specific? Which file, or at least type of file, are you looking at? What is the behavior you want, and what is actually happening? -David On Apr 22, 2009, at 9:59 AM, masionas wrote: > > HI Guys, > > How can I disable html encoding on output which was brought with new > security implementation? Is there a way to do it in request map or > screen > definition? Thank you. > -- > View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Hi David,
Here is what I have: Ajax request which maps to a a screen definition of couple groovy files and ftl. Groovy file calls CategoryContentWorker methods to get content of category, then this content is put into ftl which is returned as a piece of html ready to be assinged to a DIV element on the page. Without security enhancement FTL returned raw(not auto-encoded) html as it was expected. But with the latest release it auto encodes the tags and other html chars. For example, <, >, \r,\n etc. And hence when I assign it to a DIV it is not a "real" html anymore, but encoded stuff.
|
There was an answer to this in another thread earlier today... something about: ${StringUtil.wrapString(productPromo.promoText?if_exists)} -David On Apr 23, 2009, at 1:26 AM, masionas wrote: > > Hi David, > > Here is what I have: > > Ajax request which maps to a a screen definition of couple groovy > files and > ftl. Groovy file calls CategoryContentWorker methods to get content of > category, then this content is put into ftl which is returned as a > piece of > html ready to be assinged to a DIV element on the page. > Without security enhancement FTL returned raw(not auto-encoded) html > as it > was expected. But with the latest release it auto encodes the tags > and other > html chars. For example, <, >, \r,\n etc. And hence when I > assign it > to a DIV it is not a "real" html anymore, but encoded stuff. > > > > David E Jones-3 wrote: >> >> >> Could you be more specific? Which file, or at least type of file, are >> you looking at? >> >> What is the behavior you want, and what is actually happening? >> >> -David >> >> >> On Apr 22, 2009, at 9:59 AM, masionas wrote: >> >>> >>> HI Guys, >>> >>> How can I disable html encoding on output which was brought with new >>> security implementation? Is there a way to do it in request map or >>> screen >>> definition? Thank you. >>> -- >>> View this message in context: >>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html >>> Sent from the OFBiz - User mailing list archive at Nabble.com. >>> >> >> >> > > -- > View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
HI David,
Actually I think I found where it is started to be encoded. To pass the strings back to javascript as ajax response I escape them by this method <#assign sliderDivEscaped= Static["org.apache.commons.lang.StringEscapeUtils"].escapeJavaScript(.vars["sliderDiv"])> And it looks like escapeJavaScript() method started to escape html chars as well now. Which was not the case before I merged with a new version (09.04)
|
Ok. Got it working this way. First escapeJavaScript() like I did and then execute on escaped wrapString().
Thanks.
|
Having problem again with 772685 revision. Now it started to add the doc type header while I do not need it, because I use html 4.01 strict for the consumer site. Is it configurable and can be switched off? Let me know please. Thanks.
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> " |
In reply to this post by David E Jones-3
wrapString() works differently too now. The question is simple how can I NOT have html escaped? Le tme know please. I need to use raw html in ajax response without any escapes or doc typs attached. Thank you in advance.
|
Free forum by Nabble | Edit this page |