HTML encoding on ftl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

HTML encoding on ftl

Rajib Khan
Hi,

We are currently upgrading our system to release-0904. We noticed that ofbiz
imposes security with HTML code input / output.

*Input:* In our customized version of ofbiz we are using "allow-html"
parameter to accept "html" for a specific service attribute.
This allowed us to store html data in the database.

<service name="createNote" engine="java"
             location="org.ofbiz.common.CommonServices" invoke="createNote">
....
....
<attribute name="note" type="String" mode="IN" allow-html="safe"/>
...
</service>

*Output: *But we found that on the screen HTML data is rendered as an
encoded string and which in turn displays all the HTML code.
Example:
======
code fragment in the ftl file:
...
<td align="left" valign="top">
       <div class="tabletext">${note.noteInfo?if_exists}</div>
</td>
...
dispaly on the browser:
===============
"Shipping Destination Address:<br><b>Old address: </b>111 Commercial Rd,
Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"

*Question:*
How can the stored HTML data be rendered properly?  Is there any
configuration for rendering HTML data?

Regards,
Rajib
Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

Jacques Le Roux
Administrator
Yes I saw also this issue while working with content. Could you please open a Jira for that ?
I think that I have also sent a msg about that last week or so, but not sure...
http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices

Thanks

Jacques

From: "Rajib Khan" <[hidden email]>

> Hi,
>
> We are currently upgrading our system to release-0904. We noticed that ofbiz
> imposes security with HTML code input / output.
>
> *Input:* In our customized version of ofbiz we are using "allow-html"
> parameter to accept "html" for a specific service attribute.
> This allowed us to store html data in the database.
>
> <service name="createNote" engine="java"
>             location="org.ofbiz.common.CommonServices" invoke="createNote">
> ....
> ....
> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
> ...
> </service>
>
> *Output: *But we found that on the screen HTML data is rendered as an
> encoded string and which in turn displays all the HTML code.
> Example:
> ======
> code fragment in the ftl file:
> ...
> <td align="left" valign="top">
>       <div class="tabletext">${note.noteInfo?if_exists}</div>
> </td>
> ...
> dispaly on the browser:
> ===============
> "Shipping Destination Address:<br><b>Old address: </b>111 Commercial Rd,
> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>
> *Question:*
> How can the stored HTML data be rendered properly?  Is there any
> configuration for rendering HTML data?
>
> Regards,
> Rajib
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

David E Jones-3

This is how it is supposed to behave. Most user-entered data coming  
from the database should not have HTML in it as it creates a security  
risk.

HTML in text fields should definitely not be allowed by customers, and  
only in special circumstances by employees. IMO this note field is  
somewhat on the line, but by default in the project the output of it  
should stay encoded (the default) and the input should not allow html  
(the default). The reason I see that is that HTML is not normally  
needed in notes, and even in this case that Rajib mentions it appears  
to be a work-around for data that should really go somewhere else (and  
really does go somewhere else). Workarounds and hacks are fine if  
people choose to use the system that way, but it's nice to NOT have  
them go back into the project...

There have been dozens of discussions about how to have the output not  
be encoded, and there are a few examples in different parts of the  
project, including in the "promotiondetails.ftl" file in the order  
component, which this expression in particular:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

-David


On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:

> Yes I saw also this issue while working with content. Could you  
> please open a Jira for that ?
> I think that I have also sent a msg about that last week or so, but  
> not sure...
> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>
> Thanks
>
> Jacques
>
> From: "Rajib Khan" <[hidden email]>
>> Hi,
>> We are currently upgrading our system to release-0904. We noticed  
>> that ofbiz
>> imposes security with HTML code input / output.
>> *Input:* In our customized version of ofbiz we are using "allow-html"
>> parameter to accept "html" for a specific service attribute.
>> This allowed us to store html data in the database.
>> <service name="createNote" engine="java"
>>            location="org.ofbiz.common.CommonServices"  
>> invoke="createNote">
>> ....
>> ....
>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>> ...
>> </service>
>> *Output: *But we found that on the screen HTML data is rendered as an
>> encoded string and which in turn displays all the HTML code.
>> Example:
>> ======
>> code fragment in the ftl file:
>> ...
>> <td align="left" valign="top">
>>      <div class="tabletext">${note.noteInfo?if_exists}</div>
>> </td>
>> ...
>> dispaly on the browser:
>> ===============
>> "Shipping Destination Address:<br><b>Old address: </b>111  
>> Commercial Rd,
>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>> *Question:*
>> How can the stored HTML data be rendered properly?  Is there any
>> configuration for rendering HTML data?
>> Regards,
>> Rajib
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

Jacques Le Roux
Administrator
Actually the problem I reported earlier is not about note, where I agree it should be secured by default, but in content component.
Have a look for instance at https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
BTW you can't access this page on demo server. I guess because of security reasons.

Sorry I have no time do dig in deeper...

Jacques


From: "David E Jones" <[hidden email]>

> This is how it is supposed to behave. Most user-entered data coming  
> from the database should not have HTML in it as it creates a security  
> risk.
>
> HTML in text fields should definitely not be allowed by customers, and  
> only in special circumstances by employees. IMO this note field is  
> somewhat on the line, but by default in the project the output of it  
> should stay encoded (the default) and the input should not allow html  
> (the default). The reason I see that is that HTML is not normally  
> needed in notes, and even in this case that Rajib mentions it appears  
> to be a work-around for data that should really go somewhere else (and  
> really does go somewhere else). Workarounds and hacks are fine if  
> people choose to use the system that way, but it's nice to NOT have  
> them go back into the project...
>
> There have been dozens of discussions about how to have the output not  
> be encoded, and there are a few examples in different parts of the  
> project, including in the "promotiondetails.ftl" file in the order  
> component, which this expression in particular:
>
> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>
> -David
>
>
> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>
>> Yes I saw also this issue while working with content. Could you  
>> please open a Jira for that ?
>> I think that I have also sent a msg about that last week or so, but  
>> not sure...
>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>
>> Thanks
>>
>> Jacques
>>
>> From: "Rajib Khan" <[hidden email]>
>>> Hi,
>>> We are currently upgrading our system to release-0904. We noticed  
>>> that ofbiz
>>> imposes security with HTML code input / output.
>>> *Input:* In our customized version of ofbiz we are using "allow-html"
>>> parameter to accept "html" for a specific service attribute.
>>> This allowed us to store html data in the database.
>>> <service name="createNote" engine="java"
>>>            location="org.ofbiz.common.CommonServices"  
>>> invoke="createNote">
>>> ....
>>> ....
>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>> ...
>>> </service>
>>> *Output: *But we found that on the screen HTML data is rendered as an
>>> encoded string and which in turn displays all the HTML code.
>>> Example:
>>> ======
>>> code fragment in the ftl file:
>>> ...
>>> <td align="left" valign="top">
>>>      <div class="tabletext">${note.noteInfo?if_exists}</div>
>>> </td>
>>> ...
>>> dispaly on the browser:
>>> ===============
>>> "Shipping Destination Address:<br><b>Old address: </b>111  
>>> Commercial Rd,
>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>> *Question:*
>>> How can the stored HTML data be rendered properly?  Is there any
>>> configuration for rendering HTML data?
>>> Regards,
>>> Rajib
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

David E Jones-3

Many parts of the content component are a different issue than what  
Rajib was asking about. Some of that is meant to be web-oriented  
content, which is why many of the comment services have allow-html set  
to safe, and why much of the content output is encoded using the  
StringUtil.wrapString expression I mentioned below, or doing the same  
string wrapper in a renderer class or something. Any of the content  
output stuff that isn't doing that simply needs to be fixed.

-David


On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:

> Actually the problem I reported earlier is not about note, where I  
> agree it should be secured by default, but in content component.
> Have a look for instance at https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
> BTW you can't access this page on demo server. I guess because of  
> security reasons.
>
> Sorry I have no time do dig in deeper...
>
> Jacques
>
>
> From: "David E Jones" <[hidden email]>
>> This is how it is supposed to behave. Most user-entered data  
>> coming  from the database should not have HTML in it as it creates  
>> a security  risk.
>> HTML in text fields should definitely not be allowed by customers,  
>> and  only in special circumstances by employees. IMO this note  
>> field is  somewhat on the line, but by default in the project the  
>> output of it  should stay encoded (the default) and the input  
>> should not allow html  (the default). The reason I see that is that  
>> HTML is not normally  needed in notes, and even in this case that  
>> Rajib mentions it appears  to be a work-around for data that should  
>> really go somewhere else (and  really does go somewhere else).  
>> Workarounds and hacks are fine if  people choose to use the system  
>> that way, but it's nice to NOT have  them go back into the project...
>> There have been dozens of discussions about how to have the output  
>> not  be encoded, and there are a few examples in different parts of  
>> the  project, including in the "promotiondetails.ftl" file in the  
>> order  component, which this expression in particular:
>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>> -David
>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>>> Yes I saw also this issue while working with content. Could you  
>>> please open a Jira for that ?
>>> I think that I have also sent a msg about that last week or so,  
>>> but  not sure...
>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>> From: "Rajib Khan" <[hidden email]>
>>>> Hi,
>>>> We are currently upgrading our system to release-0904. We  
>>>> noticed  that ofbiz
>>>> imposes security with HTML code input / output.
>>>> *Input:* In our customized version of ofbiz we are using "allow-
>>>> html"
>>>> parameter to accept "html" for a specific service attribute.
>>>> This allowed us to store html data in the database.
>>>> <service name="createNote" engine="java"
>>>>           location="org.ofbiz.common.CommonServices"  
>>>> invoke="createNote">
>>>> ....
>>>> ....
>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>>> ...
>>>> </service>
>>>> *Output: *But we found that on the screen HTML data is rendered  
>>>> as an
>>>> encoded string and which in turn displays all the HTML code.
>>>> Example:
>>>> ======
>>>> code fragment in the ftl file:
>>>> ...
>>>> <td align="left" valign="top">
>>>>     <div class="tabletext">${note.noteInfo?if_exists}</div>
>>>> </td>
>>>> ...
>>>> dispaly on the browser:
>>>> ===============
>>>> "Shipping Destination Address:<br><b>Old address: </b>111  
>>>> Commercial Rd,
>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>>> *Question:*
>>>> How can the stored HTML data be rendered properly?  Is there any
>>>> configuration for rendering HTML data?
>>>> Regards,
>>>> Rajib
>>>>
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

Jacques Le Roux
Administrator
Thanks for confirmation David,

Jacques

From: "David E Jones" <[hidden email]>

>
> Many parts of the content component are a different issue than what  
> Rajib was asking about. Some of that is meant to be web-oriented  
> content, which is why many of the comment services have allow-html set  
> to safe, and why much of the content output is encoded using the  
> StringUtil.wrapString expression I mentioned below, or doing the same  
> string wrapper in a renderer class or something. Any of the content  
> output stuff that isn't doing that simply needs to be fixed.
>
> -David
>
>
> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>
>> Actually the problem I reported earlier is not about note, where I  
>> agree it should be secured by default, but in content component.
>> Have a look for instance at https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
>> BTW you can't access this page on demo server. I guess because of  
>> security reasons.
>>
>> Sorry I have no time do dig in deeper...
>>
>> Jacques
>>
>>
>> From: "David E Jones" <[hidden email]>
>>> This is how it is supposed to behave. Most user-entered data  
>>> coming  from the database should not have HTML in it as it creates  
>>> a security  risk.
>>> HTML in text fields should definitely not be allowed by customers,  
>>> and  only in special circumstances by employees. IMO this note  
>>> field is  somewhat on the line, but by default in the project the  
>>> output of it  should stay encoded (the default) and the input  
>>> should not allow html  (the default). The reason I see that is that  
>>> HTML is not normally  needed in notes, and even in this case that  
>>> Rajib mentions it appears  to be a work-around for data that should  
>>> really go somewhere else (and  really does go somewhere else).  
>>> Workarounds and hacks are fine if  people choose to use the system  
>>> that way, but it's nice to NOT have  them go back into the project...
>>> There have been dozens of discussions about how to have the output  
>>> not  be encoded, and there are a few examples in different parts of  
>>> the  project, including in the "promotiondetails.ftl" file in the  
>>> order  component, which this expression in particular:
>>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>>> -David
>>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>>>> Yes I saw also this issue while working with content. Could you  
>>>> please open a Jira for that ?
>>>> I think that I have also sent a msg about that last week or so,  
>>>> but  not sure...
>>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>>>
>>>> Thanks
>>>>
>>>> Jacques
>>>>
>>>> From: "Rajib Khan" <[hidden email]>
>>>>> Hi,
>>>>> We are currently upgrading our system to release-0904. We  
>>>>> noticed  that ofbiz
>>>>> imposes security with HTML code input / output.
>>>>> *Input:* In our customized version of ofbiz we are using "allow-
>>>>> html"
>>>>> parameter to accept "html" for a specific service attribute.
>>>>> This allowed us to store html data in the database.
>>>>> <service name="createNote" engine="java"
>>>>>           location="org.ofbiz.common.CommonServices"  
>>>>> invoke="createNote">
>>>>> ....
>>>>> ....
>>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>>>> ...
>>>>> </service>
>>>>> *Output: *But we found that on the screen HTML data is rendered  
>>>>> as an
>>>>> encoded string and which in turn displays all the HTML code.
>>>>> Example:
>>>>> ======
>>>>> code fragment in the ftl file:
>>>>> ...
>>>>> <td align="left" valign="top">
>>>>>     <div class="tabletext">${note.noteInfo?if_exists}</div>
>>>>> </td>
>>>>> ...
>>>>> dispaly on the browser:
>>>>> ===============
>>>>> "Shipping Destination Address:<br><b>Old address: </b>111  
>>>>> Commercial Rd,
>>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>>>> *Question:*
>>>>> How can the stored HTML data be rendered properly?  Is there any
>>>>> configuration for rendering HTML data?
>>>>> Regards,
>>>>> Rajib
>>>>>
>>>>
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

Rajib Khan
Hi David and Jacques,

Thanks for the clarification. As our system has historical data (more than 3
years) which contains html syntax, it would be really helpful for us if
someone can point us to the central point where the encoding is done in
OFBiz. In that case for our system we can customize the rendering base on
some sort of configuration.

Regards,
Rajib



On Wed, May 20, 2009 at 2:49 AM, Jacques Le Roux <
[hidden email]> wrote:

> Thanks for confirmation David,
>
>
> Jacques
>
> From: "David E Jones" <[hidden email]>
>
>>
>> Many parts of the content component are a different issue than what  Rajib
>> was asking about. Some of that is meant to be web-oriented  content, which
>> is why many of the comment services have allow-html set  to safe, and why
>> much of the content output is encoded using the  StringUtil.wrapString
>> expression I mentioned below, or doing the same  string wrapper in a
>> renderer class or something. Any of the content  output stuff that isn't
>> doing that simply needs to be fixed.
>>
>> -David
>>
>>
>> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>>
>>  Actually the problem I reported earlier is not about note, where I  agree
>>> it should be secured by default, but in content component.
>>> Have a look for instance at
>>> https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
>>> BTW you can't access this page on demo server. I guess because of
>>>  security reasons.
>>>
>>> Sorry I have no time do dig in deeper...
>>>
>>> Jacques
>>>
>>>
>>> From: "David E Jones" <[hidden email]>
>>>
>>>> This is how it is supposed to behave. Most user-entered data  coming
>>>>  from the database should not have HTML in it as it creates  a security
>>>>  risk.
>>>> HTML in text fields should definitely not be allowed by customers,  and
>>>>  only in special circumstances by employees. IMO this note  field is
>>>>  somewhat on the line, but by default in the project the  output of it
>>>>  should stay encoded (the default) and the input  should not allow html
>>>>  (the default). The reason I see that is that  HTML is not normally  needed
>>>> in notes, and even in this case that  Rajib mentions it appears  to be a
>>>> work-around for data that should  really go somewhere else (and  really does
>>>> go somewhere else).  Workarounds and hacks are fine if  people choose to use
>>>> the system  that way, but it's nice to NOT have  them go back into the
>>>> project...
>>>> There have been dozens of discussions about how to have the output  not
>>>>  be encoded, and there are a few examples in different parts of  the
>>>>  project, including in the "promotiondetails.ftl" file in the  order
>>>>  component, which this expression in particular:
>>>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>>>> -David
>>>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>>>>
>>>>> Yes I saw also this issue while working with content. Could you
>>>>> please open a Jira for that ?
>>>>> I think that I have also sent a msg about that last week or so,  but
>>>>>  not sure...
>>>>>
>>>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jacques
>>>>>
>>>>> From: "Rajib Khan" <[hidden email]>
>>>>>
>>>>>> Hi,
>>>>>> We are currently upgrading our system to release-0904. We  noticed
>>>>>>  that ofbiz
>>>>>> imposes security with HTML code input / output.
>>>>>> *Input:* In our customized version of ofbiz we are using "allow- html"
>>>>>> parameter to accept "html" for a specific service attribute.
>>>>>> This allowed us to store html data in the database.
>>>>>> <service name="createNote" engine="java"
>>>>>>          location="org.ofbiz.common.CommonServices"
>>>>>> invoke="createNote">
>>>>>> ....
>>>>>> ....
>>>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>>>>> ...
>>>>>> </service>
>>>>>> *Output: *But we found that on the screen HTML data is rendered  as an
>>>>>> encoded string and which in turn displays all the HTML code.
>>>>>> Example:
>>>>>> ======
>>>>>> code fragment in the ftl file:
>>>>>> ...
>>>>>> <td align="left" valign="top">
>>>>>>    <div class="tabletext">${note.noteInfo?if_exists}</div>
>>>>>> </td>
>>>>>> ...
>>>>>> dispaly on the browser:
>>>>>> ===============
>>>>>> "Shipping Destination Address:<br><b>Old address: </b>111   Commercial
>>>>>> Rd,
>>>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>>>>> *Question:*
>>>>>> How can the stored HTML data be rendered properly?  Is there any
>>>>>> configuration for rendering HTML data?
>>>>>> Regards,
>>>>>> Rajib
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

Rajib Khan
Hi,

Currently I'm planning to customize "StringUtil.java" with the following
modification for our system to render HTML screens.
Please let me know if this is not the right place to customize.
===========
public static class HtmlEncoder implements SimpleEncoder {
        boolean encodeEnabled =
UtilProperties.propertyValueEqualsIgnoreCase("general.properties",
"html.encode.on", "Y");
        public String encode(String original) {
            if (encodeEnabled) {
                return StringUtil.defaultWebEncoder.encodeForHTML(original);
            }
            Debug.logWarning("**** HTML encoding turned off! to enable
encoding set 'html.encode.on' to 'Y' in 'general.properties'", module);
            return original;
        }
 }
===========

Regards,
Rajib

On Wed, May 20, 2009 at 9:57 AM, Rajib Khan <[hidden email]> wrote:

> Hi David and Jacques,
>
> Thanks for the clarification. As our system has historical data (more than
> 3 years) which contains html syntax, it would be really helpful for us if
> someone can point us to the central point where the encoding is done in
> OFBiz. In that case for our system we can customize the rendering base on
> some sort of configuration.
>
> Regards,
> Rajib
>
>
>
>
> On Wed, May 20, 2009 at 2:49 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Thanks for confirmation David,
>>
>>
>> Jacques
>>
>> From: "David E Jones" <[hidden email]>
>>
>>>
>>> Many parts of the content component are a different issue than what
>>>  Rajib was asking about. Some of that is meant to be web-oriented  content,
>>> which is why many of the comment services have allow-html set  to safe, and
>>> why much of the content output is encoded using the  StringUtil.wrapString
>>> expression I mentioned below, or doing the same  string wrapper in a
>>> renderer class or something. Any of the content  output stuff that isn't
>>> doing that simply needs to be fixed.
>>>
>>> -David
>>>
>>>
>>> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>>>
>>>  Actually the problem I reported earlier is not about note, where I
>>>>  agree it should be secured by default, but in content component.
>>>> Have a look for instance at
>>>> https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
>>>> BTW you can't access this page on demo server. I guess because of
>>>>  security reasons.
>>>>
>>>> Sorry I have no time do dig in deeper...
>>>>
>>>> Jacques
>>>>
>>>>
>>>> From: "David E Jones" <[hidden email]>
>>>>
>>>>> This is how it is supposed to behave. Most user-entered data  coming
>>>>>  from the database should not have HTML in it as it creates  a security
>>>>>  risk.
>>>>> HTML in text fields should definitely not be allowed by customers,  and
>>>>>  only in special circumstances by employees. IMO this note  field is
>>>>>  somewhat on the line, but by default in the project the  output of it
>>>>>  should stay encoded (the default) and the input  should not allow html
>>>>>  (the default). The reason I see that is that  HTML is not normally  needed
>>>>> in notes, and even in this case that  Rajib mentions it appears  to be a
>>>>> work-around for data that should  really go somewhere else (and  really does
>>>>> go somewhere else).  Workarounds and hacks are fine if  people choose to use
>>>>> the system  that way, but it's nice to NOT have  them go back into the
>>>>> project...
>>>>> There have been dozens of discussions about how to have the output  not
>>>>>  be encoded, and there are a few examples in different parts of  the
>>>>>  project, including in the "promotiondetails.ftl" file in the  order
>>>>>  component, which this expression in particular:
>>>>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>>>>> -David
>>>>> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
>>>>>
>>>>>> Yes I saw also this issue while working with content. Could you
>>>>>> please open a Jira for that ?
>>>>>> I think that I have also sent a msg about that last week or so,  but
>>>>>>  not sure...
>>>>>>
>>>>>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> From: "Rajib Khan" <[hidden email]>
>>>>>>
>>>>>>> Hi,
>>>>>>> We are currently upgrading our system to release-0904. We  noticed
>>>>>>>  that ofbiz
>>>>>>> imposes security with HTML code input / output.
>>>>>>> *Input:* In our customized version of ofbiz we are using "allow-
>>>>>>> html"
>>>>>>> parameter to accept "html" for a specific service attribute.
>>>>>>> This allowed us to store html data in the database.
>>>>>>> <service name="createNote" engine="java"
>>>>>>>          location="org.ofbiz.common.CommonServices"
>>>>>>> invoke="createNote">
>>>>>>> ....
>>>>>>> ....
>>>>>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
>>>>>>> ...
>>>>>>> </service>
>>>>>>> *Output: *But we found that on the screen HTML data is rendered  as
>>>>>>> an
>>>>>>> encoded string and which in turn displays all the HTML code.
>>>>>>> Example:
>>>>>>> ======
>>>>>>> code fragment in the ftl file:
>>>>>>> ...
>>>>>>> <td align="left" valign="top">
>>>>>>>    <div class="tabletext">${note.noteInfo?if_exists}</div>
>>>>>>> </td>
>>>>>>> ...
>>>>>>> dispaly on the browser:
>>>>>>> ===============
>>>>>>> "Shipping Destination Address:<br><b>Old address: </b>111
>>>>>>> Commercial Rd,
>>>>>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
>>>>>>> *Question:*
>>>>>>> How can the stored HTML data be rendered properly?  Is there any
>>>>>>> configuration for rendering HTML data?
>>>>>>> Regards,
>>>>>>> Rajib
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: HTML encoding on ftl

hans_bakker
In reply to this post by David E Jones-3
David,

thanks for your explanation and in general i agree with you. However we
should make an exception using the ofbiz type of fields. Any
'description' or 'name' type of field should have the default html-allow
set to safe in order to use the  ">" and "<" characters.

example in the entity content:
      <field name="contentName" type="name"></field>
      <field name="description" type="description"></field>

or customer request:
      <field name="custRequestName" type="name"></field>
      <field name="description" type="description"></field>


My customers use these characters frequently.

Regards,
Hans

On Tue, 2009-05-19 at 09:40 -0600, David E Jones wrote:

> Many parts of the content component are a different issue than what  
> Rajib was asking about. Some of that is meant to be web-oriented  
> content, which is why many of the comment services have allow-html set  
> to safe, and why much of the content output is encoded using the  
> StringUtil.wrapString expression I mentioned below, or doing the same  
> string wrapper in a renderer class or something. Any of the content  
> output stuff that isn't doing that simply needs to be fixed.
>
> -David
>
>
> On May 19, 2009, at 9:21 AM, Jacques Le Roux wrote:
>
> > Actually the problem I reported earlier is not about note, where I  
> > agree it should be secured by default, but in content component.
> > Have a look for instance at https://localhost:8443/content/control/EditHtmlText?dataResourceId=CMSS_DEMO_HOME
> > BTW you can't access this page on demo server. I guess because of  
> > security reasons.
> >
> > Sorry I have no time do dig in deeper...
> >
> > Jacques
> >
> >
> > From: "David E Jones" <[hidden email]>
> >> This is how it is supposed to behave. Most user-entered data  
> >> coming  from the database should not have HTML in it as it creates  
> >> a security  risk.
> >> HTML in text fields should definitely not be allowed by customers,  
> >> and  only in special circumstances by employees. IMO this note  
> >> field is  somewhat on the line, but by default in the project the  
> >> output of it  should stay encoded (the default) and the input  
> >> should not allow html  (the default). The reason I see that is that  
> >> HTML is not normally  needed in notes, and even in this case that  
> >> Rajib mentions it appears  to be a work-around for data that should  
> >> really go somewhere else (and  really does go somewhere else).  
> >> Workarounds and hacks are fine if  people choose to use the system  
> >> that way, but it's nice to NOT have  them go back into the project...
> >> There have been dozens of discussions about how to have the output  
> >> not  be encoded, and there are a few examples in different parts of  
> >> the  project, including in the "promotiondetails.ftl" file in the  
> >> order  component, which this expression in particular:
> >> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
> >> -David
> >> On May 19, 2009, at 1:42 AM, Jacques Le Roux wrote:
> >>> Yes I saw also this issue while working with content. Could you  
> >>> please open a Jira for that ?
> >>> I think that I have also sent a msg about that last week or so,  
> >>> but  not sure...
> >>> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> From: "Rajib Khan" <[hidden email]>
> >>>> Hi,
> >>>> We are currently upgrading our system to release-0904. We  
> >>>> noticed  that ofbiz
> >>>> imposes security with HTML code input / output.
> >>>> *Input:* In our customized version of ofbiz we are using "allow-
> >>>> html"
> >>>> parameter to accept "html" for a specific service attribute.
> >>>> This allowed us to store html data in the database.
> >>>> <service name="createNote" engine="java"
> >>>>           location="org.ofbiz.common.CommonServices"  
> >>>> invoke="createNote">
> >>>> ....
> >>>> ....
> >>>> <attribute name="note" type="String" mode="IN" allow-html="safe"/>
> >>>> ...
> >>>> </service>
> >>>> *Output: *But we found that on the screen HTML data is rendered  
> >>>> as an
> >>>> encoded string and which in turn displays all the HTML code.
> >>>> Example:
> >>>> ======
> >>>> code fragment in the ftl file:
> >>>> ...
> >>>> <td align="left" valign="top">
> >>>>     <div class="tabletext">${note.noteInfo?if_exists}</div>
> >>>> </td>
> >>>> ...
> >>>> dispaly on the browser:
> >>>> ===============
> >>>> "Shipping Destination Address:<br><b>Old address: </b>111  
> >>>> Commercial Rd,
> >>>> Morwell VIC 3840, 3840, AUS <br><b>New address: </b>1"
> >>>> *Question:*
> >>>> How can the stored HTML data be rendered properly?  Is there any
> >>>> configuration for rendering HTML data?
> >>>> Regards,
> >>>> Rajib
> >>>>
> >>>
> >>
> >
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates