Disable HTML Encoding Output

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable HTML Encoding Output

masionas
This post was updated on .
HI Guys,

How can I disable html encoding on output which was brought with new security implementation? Is there a way to do it in request map or screen definition? Thank you.

Ideally, it would be something like an attribute for <response> node in controller.xml specifying whether we want or not to encode output. In my case I have ajax requests which return a piece of html but in new release it is all screwed up with auto-encoding.
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

Jacques Le Roux
Administrator
Have a look at ServiceEventHandler.checkSecureParameter()

Jacques

From: "masionas" <[hidden email]>

>
> HI Guys,
>
> How can I disable html encoding on output which was brought with new
> security implementation? Is there a way to do it in request map or screen
> definition? Thank you.
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

David E Jones-3
In reply to this post by masionas

Could you be more specific? Which file, or at least type of file, are  
you looking at?

What is the behavior you want, and what is actually happening?

-David


On Apr 22, 2009, at 9:59 AM, masionas wrote:

>
> HI Guys,
>
> How can I disable html encoding on output which was brought with new
> security implementation? Is there a way to do it in request map or  
> screen
> definition? Thank you.
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

masionas
Hi David,

Here is what I have:

Ajax request which maps to a a screen definition of couple groovy files and ftl. Groovy file calls CategoryContentWorker methods to get content of category, then this content is put into ftl which is returned as a piece of html ready to be assinged to a DIV element on the page.
Without security enhancement FTL returned raw(not auto-encoded) html as it was expected. But with the latest release it auto encodes the tags and other html chars. For example, <, >, \r,\n etc. And hence when I assign it to a DIV it is not a "real" html anymore, but encoded stuff.


David E Jones-3 wrote
Could you be more specific? Which file, or at least type of file, are  
you looking at?

What is the behavior you want, and what is actually happening?

-David


On Apr 22, 2009, at 9:59 AM, masionas wrote:

>
> HI Guys,
>
> How can I disable html encoding on output which was brought with new
> security implementation? Is there a way to do it in request map or  
> screen
> definition? Thank you.
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

David E Jones-3

There was an answer to this in another thread earlier today...  
something about:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

-David


On Apr 23, 2009, at 1:26 AM, masionas wrote:

>
> Hi David,
>
> Here is what I have:
>
> Ajax request which maps to a a screen definition of couple groovy  
> files and
> ftl. Groovy file calls CategoryContentWorker methods to get content of
> category, then this content is put into ftl which is returned as a  
> piece of
> html ready to be assinged to a DIV element on the page.
> Without security enhancement FTL returned raw(not auto-encoded) html  
> as it
> was expected. But with the latest release it auto encodes the tags  
> and other
> html chars. For example, &lt;, &gt;, \r,\n etc. And hence when I  
> assign it
> to a DIV it is not a "real" html anymore, but encoded stuff.
>
>
>
> David E Jones-3 wrote:
>>
>>
>> Could you be more specific? Which file, or at least type of file, are
>> you looking at?
>>
>> What is the behavior you want, and what is actually happening?
>>
>> -David
>>
>>
>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>
>>>
>>> HI Guys,
>>>
>>> How can I disable html encoding on output which was brought with new
>>> security implementation? Is there a way to do it in request map or
>>> screen
>>> definition? Thank you.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

masionas
HI David,

Actually I think I found where it is started to be encoded. To pass the strings back to javascript as ajax response I escape them by this method

<#assign sliderDivEscaped= Static["org.apache.commons.lang.StringEscapeUtils"].escapeJavaScript(.vars["sliderDiv"])>

And it looks like escapeJavaScript() method started to escape html chars as well now. Which was not the case before I merged with a new version (09.04)

David E Jones-3 wrote
There was an answer to this in another thread earlier today...  
something about:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

-David


On Apr 23, 2009, at 1:26 AM, masionas wrote:

>
> Hi David,
>
> Here is what I have:
>
> Ajax request which maps to a a screen definition of couple groovy  
> files and
> ftl. Groovy file calls CategoryContentWorker methods to get content of
> category, then this content is put into ftl which is returned as a  
> piece of
> html ready to be assinged to a DIV element on the page.
> Without security enhancement FTL returned raw(not auto-encoded) html  
> as it
> was expected. But with the latest release it auto encodes the tags  
> and other
> html chars. For example, <, >, \r,\n etc. And hence when I  
> assign it
> to a DIV it is not a "real" html anymore, but encoded stuff.
>
>
>
> David E Jones-3 wrote:
>>
>>
>> Could you be more specific? Which file, or at least type of file, are
>> you looking at?
>>
>> What is the behavior you want, and what is actually happening?
>>
>> -David
>>
>>
>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>
>>>
>>> HI Guys,
>>>
>>> How can I disable html encoding on output which was brought with new
>>> security implementation? Is there a way to do it in request map or
>>> screen
>>> definition? Thank you.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

masionas
Ok. Got it working this way. First escapeJavaScript() like I did and then execute on escaped wrapString().
Thanks.
masionas wrote
HI David,

Actually I think I found where it is started to be encoded. To pass the strings back to javascript as ajax response I escape them by this method

<#assign sliderDivEscaped= Static["org.apache.commons.lang.StringEscapeUtils"].escapeJavaScript(.vars["sliderDiv"])>

And it looks like escapeJavaScript() method started to escape html chars as well now. Which was not the case before I merged with a new version (09.04)

David E Jones-3 wrote
There was an answer to this in another thread earlier today...  
something about:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

-David


On Apr 23, 2009, at 1:26 AM, masionas wrote:

>
> Hi David,
>
> Here is what I have:
>
> Ajax request which maps to a a screen definition of couple groovy  
> files and
> ftl. Groovy file calls CategoryContentWorker methods to get content of
> category, then this content is put into ftl which is returned as a  
> piece of
> html ready to be assinged to a DIV element on the page.
> Without security enhancement FTL returned raw(not auto-encoded) html  
> as it
> was expected. But with the latest release it auto encodes the tags  
> and other
> html chars. For example, <, >, \r,\n etc. And hence when I  
> assign it
> to a DIV it is not a "real" html anymore, but encoded stuff.
>
>
>
> David E Jones-3 wrote:
>>
>>
>> Could you be more specific? Which file, or at least type of file, are
>> you looking at?
>>
>> What is the behavior you want, and what is actually happening?
>>
>> -David
>>
>>
>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>
>>>
>>> HI Guys,
>>>
>>> How can I disable html encoding on output which was brought with new
>>> security implementation? Is there a way to do it in request map or
>>> screen
>>> definition? Thank you.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

masionas
Having problem again with 772685 revision. Now it started to add the doc type header while I do not need it, because I use html 4.01 strict for the consumer site. Is it configurable and can be switched off? Let me know please. Thanks.

"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"

Reply | Threaded
Open this post in threaded view
|

Re: Disable HTML Encoding Output

masionas
In reply to this post by David E Jones-3
wrapString() works differently too now. The question is simple how can I NOT have html escaped? Le tme know please. I need to use raw html in ajax response without any escapes or doc typs attached. Thank you in advance.

David E Jones-3 wrote
There was an answer to this in another thread earlier today...  
something about:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

-David


On Apr 23, 2009, at 1:26 AM, masionas wrote:

>
> Hi David,
>
> Here is what I have:
>
> Ajax request which maps to a a screen definition of couple groovy  
> files and
> ftl. Groovy file calls CategoryContentWorker methods to get content of
> category, then this content is put into ftl which is returned as a  
> piece of
> html ready to be assinged to a DIV element on the page.
> Without security enhancement FTL returned raw(not auto-encoded) html  
> as it
> was expected. But with the latest release it auto encodes the tags  
> and other
> html chars. For example, <, >, \r,\n etc. And hence when I  
> assign it
> to a DIV it is not a "real" html anymore, but encoded stuff.
>
>
>
> David E Jones-3 wrote:
>>
>>
>> Could you be more specific? Which file, or at least type of file, are
>> you looking at?
>>
>> What is the behavior you want, and what is actually happening?
>>
>> -David
>>
>>
>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>
>>>
>>> HI Guys,
>>>
>>> How can I disable html encoding on output which was brought with new
>>> security implementation? Is there a way to do it in request map or
>>> screen
>>> definition? Thank you.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>