Javascript is parsed to HTML (Freemarker ?)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Javascript is parsed to HTML (Freemarker ?)

Eric DE MAULDE
Hi,

I updated my working copy

*** Now all javascript are parsed to HTML (and appear in screen, just for my own application, Ecommerce is OK)
Script tags are ok.
Ex. in source :
<script language="JavaScript" type="text/javascript"><!--
Do you know where I can configure Freemarker ?

In HTML head tag, some chars are parsed too.

Eric
Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Eric DE MAULDE
A precision :

*** Error comes from Groovy
Because I have the problem only with generated Javascript script with
Groovy.

An idea ?

Thanks

Eric
----- Original Message -----
From: "Eric DE MAULDE" <[hidden email]>
To: <[hidden email]>
Sent: Monday, February 16, 2009 6:24 PM
Subject: Javascript is parsed to HTML (Freemarker ?)


Hi,

I updated my working copy

*** Now all javascript are parsed to HTML (and appear in screen, just for my
own application, Ecommerce is OK)
Script tags are ok.
Ex. in source :
&lt;script language&#61;&quot;JavaScript&quot;
type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
Do you know where I can configure Freemarker ?

In HTML head tag, some chars are parsed too.

Eric

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

David E Jones-3

Have you been following the discussion on the mailing lists about the  
XSS/etc prevention efforts?

As a general practice when you run into things like this you can  
usually find your answer pretty quickly by looking at commit logs, and  
by looking at code in OOTB OFBiz that does something similar to what  
you are trying to do. In this case, for example looking at the  
productdetail screen and the groovy and ftl files that it uses will  
give you an example of how to handle this now.

The important thing to know is that now all String objects are  
automatically HTML encoded (using the OWASP ESAPI library). To avoid  
it, just use anything other than a String object. The normal way to do  
this is to create your script dynamically using a StringBuilder, and  
then just leave it as a StringBuilder instead of calling toString() on  
it before putting it in the context. Then it won't get HTML encoded...

On a side note, I know that the OOTB code isn't the best example of  
this, but usually it is best to generate your JavaScript in the FTL  
file. If you are dynamically generating any sort of text a template  
file is usually the best tool to use and results in the cleanest and  
easiest to maintain code.

And as a bonus, you'll avoid this encoding issue too. In fact, part of  
the decision to do this general encoding is to encourage the practice  
of using templates for what they are meant to be used for.

Best of luck,
-David


On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:

> A precision :
>
> *** Error comes from Groovy
> Because I have the problem only with generated Javascript script  
> with Groovy.
>
> An idea ?
>
> Thanks
>
> Eric
> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
> To: <[hidden email]>
> Sent: Monday, February 16, 2009 6:24 PM
> Subject: Javascript is parsed to HTML (Freemarker ?)
>
>
> Hi,
>
> I updated my working copy
>
> *** Now all javascript are parsed to HTML (and appear in screen,  
> just for my own application, Ecommerce is OK)
> Script tags are ok.
> Ex. in source :
> &lt;script language&#61;&quot;JavaScript&quot;  
> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
> Do you know where I can configure Freemarker ?
>
> In HTML head tag, some chars are parsed too.
>
> Eric

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Eric DE MAULDE
David,

Thank you so much
You have got me out of a spot

Sorry, I'm not regular

Eric
----- Original Message -----
From: "David E Jones" <[hidden email]>
To: <[hidden email]>
Sent: Monday, February 16, 2009 11:34 PM
Subject: Re: Javascript is parsed to HTML (Freemarker ?)


>
> Have you been following the discussion on the mailing lists about the  
> XSS/etc prevention efforts?
>
> As a general practice when you run into things like this you can  
> usually find your answer pretty quickly by looking at commit logs, and  
> by looking at code in OOTB OFBiz that does something similar to what  
> you are trying to do. In this case, for example looking at the  
> productdetail screen and the groovy and ftl files that it uses will  
> give you an example of how to handle this now.
>
> The important thing to know is that now all String objects are  
> automatically HTML encoded (using the OWASP ESAPI library). To avoid  
> it, just use anything other than a String object. The normal way to do  
> this is to create your script dynamically using a StringBuilder, and  
> then just leave it as a StringBuilder instead of calling toString() on  
> it before putting it in the context. Then it won't get HTML encoded...
>
> On a side note, I know that the OOTB code isn't the best example of  
> this, but usually it is best to generate your JavaScript in the FTL  
> file. If you are dynamically generating any sort of text a template  
> file is usually the best tool to use and results in the cleanest and  
> easiest to maintain code.
>
> And as a bonus, you'll avoid this encoding issue too. In fact, part of  
> the decision to do this general encoding is to encourage the practice  
> of using templates for what they are meant to be used for.
>
> Best of luck,
> -David
>
>
> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>
>> A precision :
>>
>> *** Error comes from Groovy
>> Because I have the problem only with generated Javascript script  
>> with Groovy.
>>
>> An idea ?
>>
>> Thanks
>>
>> Eric
>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Monday, February 16, 2009 6:24 PM
>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>
>>
>> Hi,
>>
>> I updated my working copy
>>
>> *** Now all javascript are parsed to HTML (and appear in screen,  
>> just for my own application, Ecommerce is OK)
>> Script tags are ok.
>> Ex. in source :
>> &lt;script language&#61;&quot;JavaScript&quot;  
>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>> Do you know where I can configure Freemarker ?
>>
>> In HTML head tag, some chars are parsed too.
>>
>> Eric
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Stephen Rufle-2
In reply to this post by David E Jones-3
I think I have a related issue to this. I have .properties files with
table headings in them. I used to be able to put a br tag <br> in the
content of my labels to break two words.

ex.
"Cust.<br>Order# "
would turn into
"
Cust.
Order#
"
on my display, now it sends it literally. How do I get the old behavior
back?

David E Jones wrote:

>
> Have you been following the discussion on the mailing lists about the
> XSS/etc prevention efforts?
>
> As a general practice when you run into things like this you can
> usually find your answer pretty quickly by looking at commit logs, and
> by looking at code in OOTB OFBiz that does something similar to what
> you are trying to do. In this case, for example looking at the
> productdetail screen and the groovy and ftl files that it uses will
> give you an example of how to handle this now.
>
> The important thing to know is that now all String objects are
> automatically HTML encoded (using the OWASP ESAPI library). To avoid
> it, just use anything other than a String object. The normal way to do
> this is to create your script dynamically using a StringBuilder, and
> then just leave it as a StringBuilder instead of calling toString() on
> it before putting it in the context. Then it won't get HTML encoded...
>
> On a side note, I know that the OOTB code isn't the best example of
> this, but usually it is best to generate your JavaScript in the FTL
> file. If you are dynamically generating any sort of text a template
> file is usually the best tool to use and results in the cleanest and
> easiest to maintain code.
>
> And as a bonus, you'll avoid this encoding issue too. In fact, part of
> the decision to do this general encoding is to encourage the practice
> of using templates for what they are meant to be used for.
>
> Best of luck,
> -David
>
>
> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>
>> A precision :
>>
>> *** Error comes from Groovy
>> Because I have the problem only with generated Javascript script with
>> Groovy.
>>
>> An idea ?
>>
>> Thanks
>>
>> Eric
>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Monday, February 16, 2009 6:24 PM
>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>
>>
>> Hi,
>>
>> I updated my working copy
>>
>> *** Now all javascript are parsed to HTML (and appear in screen, just
>> for my own application, Ecommerce is OK)
>> Script tags are ok.
>> Ex. in source :
>> &lt;script language&#61;&quot;JavaScript&quot;
>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>> Do you know where I can configure Freemarker ?
>>
>> In HTML head tag, some chars are parsed too.
>>
>> Eric
>
>
>

--
Stephen P Rufle
[hidden email]
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Jacques Le Roux
Administrator
As David explains below you have to embed the String you create (I suppose reading the property) into a StringBuilder

Jacques

From: "Stephen Rufle" <[hidden email]>

>I think I have a related issue to this. I have .properties files with
> table headings in them. I used to be able to put a br tag <br> in the
> content of my labels to break two words.
>
> ex.
> "Cust.<br>Order# "
> would turn into
> "
> Cust.
> Order#
> "
> on my display, now it sends it literally. How do I get the old behavior
> back?
>
> David E Jones wrote:
>>
>> Have you been following the discussion on the mailing lists about the
>> XSS/etc prevention efforts?
>>
>> As a general practice when you run into things like this you can
>> usually find your answer pretty quickly by looking at commit logs, and
>> by looking at code in OOTB OFBiz that does something similar to what
>> you are trying to do. In this case, for example looking at the
>> productdetail screen and the groovy and ftl files that it uses will
>> give you an example of how to handle this now.
>>
>> The important thing to know is that now all String objects are
>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>> it, just use anything other than a String object. The normal way to do
>> this is to create your script dynamically using a StringBuilder, and
>> then just leave it as a StringBuilder instead of calling toString() on
>> it before putting it in the context. Then it won't get HTML encoded...
>>
>> On a side note, I know that the OOTB code isn't the best example of
>> this, but usually it is best to generate your JavaScript in the FTL
>> file. If you are dynamically generating any sort of text a template
>> file is usually the best tool to use and results in the cleanest and
>> easiest to maintain code.
>>
>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>> the decision to do this general encoding is to encourage the practice
>> of using templates for what they are meant to be used for.
>>
>> Best of luck,
>> -David
>>
>>
>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>
>>> A precision :
>>>
>>> *** Error comes from Groovy
>>> Because I have the problem only with generated Javascript script with
>>> Groovy.
>>>
>>> An idea ?
>>>
>>> Thanks
>>>
>>> Eric
>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>>> To: <[hidden email]>
>>> Sent: Monday, February 16, 2009 6:24 PM
>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>
>>>
>>> Hi,
>>>
>>> I updated my working copy
>>>
>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>> for my own application, Ecommerce is OK)
>>> Script tags are ok.
>>> Ex. in source :
>>> &lt;script language&#61;&quot;JavaScript&quot;
>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>> Do you know where I can configure Freemarker ?
>>>
>>> In HTML head tag, some chars are parsed too.
>>>
>>> Eric
>>
>>
>>
>
> --
> Stephen P Rufle
> [hidden email]
> H1:480-626-8022
> H2:480-802-7173
> Yahoo IM: stephen_rufle
> AOL IM: stephen1rufle
>

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Stephen Rufle-2
In the ftl I use
${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}

Does this process get passed through some class that I can change and
send a patch for? Then all properties could embed HTML

Jacques Le Roux wrote:

> As David explains below you have to embed the String you create (I
> suppose reading the property) into a StringBuilder
>
> Jacques
>
> From: "Stephen Rufle" <[hidden email]>
>> I think I have a related issue to this. I have .properties files with
>> table headings in them. I used to be able to put a br tag <br> in the
>> content of my labels to break two words.
>>
>> ex.
>> "Cust.<br>Order# "
>> would turn into
>> "
>> Cust.
>> Order#
>> "
>> on my display, now it sends it literally. How do I get the old behavior
>> back?
>>
>> David E Jones wrote:
>>>
>>> Have you been following the discussion on the mailing lists about the
>>> XSS/etc prevention efforts?
>>>
>>> As a general practice when you run into things like this you can
>>> usually find your answer pretty quickly by looking at commit logs, and
>>> by looking at code in OOTB OFBiz that does something similar to what
>>> you are trying to do. In this case, for example looking at the
>>> productdetail screen and the groovy and ftl files that it uses will
>>> give you an example of how to handle this now.
>>>
>>> The important thing to know is that now all String objects are
>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>> it, just use anything other than a String object. The normal way to do
>>> this is to create your script dynamically using a StringBuilder, and
>>> then just leave it as a StringBuilder instead of calling toString() on
>>> it before putting it in the context. Then it won't get HTML encoded...
>>>
>>> On a side note, I know that the OOTB code isn't the best example of
>>> this, but usually it is best to generate your JavaScript in the FTL
>>> file. If you are dynamically generating any sort of text a template
>>> file is usually the best tool to use and results in the cleanest and
>>> easiest to maintain code.
>>>
>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>> the decision to do this general encoding is to encourage the practice
>>> of using templates for what they are meant to be used for.
>>>
>>> Best of luck,
>>> -David
>>>
>>>
>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>
>>>> A precision :
>>>>
>>>> *** Error comes from Groovy
>>>> Because I have the problem only with generated Javascript script with
>>>> Groovy.
>>>>
>>>> An idea ?
>>>>
>>>> Thanks
>>>>
>>>> Eric
>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>>>> To: <[hidden email]>
>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I updated my working copy
>>>>
>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>> for my own application, Ecommerce is OK)
>>>> Script tags are ok.
>>>> Ex. in source :
>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>> Do you know where I can configure Freemarker ?
>>>>
>>>> In HTML head tag, some chars are parsed too.
>>>>
>>>> Eric
>>>
>>>
>>>
>>
>> --
>> Stephen P Rufle
>> [hidden email]
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>>
>
>
>

--
Stephen P Rufle
[hidden email]
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Jacques Le Roux
Administrator
1st thing : OFBiz trunk no longer uses .properties files but .xml files
2d thing : we don't allow HTML in labels (actually there are still some, but it should not at term apart some special cases like the
famous CommonEmpty)

I think you will have to create a specific worker for that, ie no longer render your strings as
${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where
renderUiLabelMap returns a stringBuilder embedding the original String
I can see any other means maybe there are and someone will suggest you something easier.

Jacques

From: "Stephen Rufle" <[hidden email]>

> In the ftl I use
> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>
> Does this process get passed through some class that I can change and
> send a patch for? Then all properties could embed HTML
>
> Jacques Le Roux wrote:
>> As David explains below you have to embed the String you create (I
>> suppose reading the property) into a StringBuilder
>>
>> Jacques
>>
>> From: "Stephen Rufle" <[hidden email]>
>>> I think I have a related issue to this. I have .properties files with
>>> table headings in them. I used to be able to put a br tag <br> in the
>>> content of my labels to break two words.
>>>
>>> ex.
>>> "Cust.<br>Order# "
>>> would turn into
>>> "
>>> Cust.
>>> Order#
>>> "
>>> on my display, now it sends it literally. How do I get the old behavior
>>> back?
>>>
>>> David E Jones wrote:
>>>>
>>>> Have you been following the discussion on the mailing lists about the
>>>> XSS/etc prevention efforts?
>>>>
>>>> As a general practice when you run into things like this you can
>>>> usually find your answer pretty quickly by looking at commit logs, and
>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>> you are trying to do. In this case, for example looking at the
>>>> productdetail screen and the groovy and ftl files that it uses will
>>>> give you an example of how to handle this now.
>>>>
>>>> The important thing to know is that now all String objects are
>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>> it, just use anything other than a String object. The normal way to do
>>>> this is to create your script dynamically using a StringBuilder, and
>>>> then just leave it as a StringBuilder instead of calling toString() on
>>>> it before putting it in the context. Then it won't get HTML encoded...
>>>>
>>>> On a side note, I know that the OOTB code isn't the best example of
>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>> file. If you are dynamically generating any sort of text a template
>>>> file is usually the best tool to use and results in the cleanest and
>>>> easiest to maintain code.
>>>>
>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>>> the decision to do this general encoding is to encourage the practice
>>>> of using templates for what they are meant to be used for.
>>>>
>>>> Best of luck,
>>>> -David
>>>>
>>>>
>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>
>>>>> A precision :
>>>>>
>>>>> *** Error comes from Groovy
>>>>> Because I have the problem only with generated Javascript script with
>>>>> Groovy.
>>>>>
>>>>> An idea ?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Eric
>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>>>>> To: <[hidden email]>
>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I updated my working copy
>>>>>
>>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>>> for my own application, Ecommerce is OK)
>>>>> Script tags are ok.
>>>>> Ex. in source :
>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>> Do you know where I can configure Freemarker ?
>>>>>
>>>>> In HTML head tag, some chars are parsed too.
>>>>>
>>>>> Eric
>>>>
>>>>
>>>>
>>>
>>> --
>>> Stephen P Rufle
>>> [hidden email]
>>> H1:480-626-8022
>>> H2:480-802-7173
>>> Yahoo IM: stephen_rufle
>>> AOL IM: stephen1rufle
>>>
>>
>>
>>
>
> --
> Stephen P Rufle
> [hidden email]
> H1:480-626-8022
> H2:480-802-7173
> Yahoo IM: stephen_rufle
> AOL IM: stephen1rufle
>


Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Stephen Rufle-2
Ok, If I convert to using XXX.xml instead of XXX.properties will be able
to embed the HTML, or is the general rule that no properties are allowed
to have HTML in them otherwise they get encoded on the way out to the
screen?

Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to
work from

so what used to be

XXX.properties
keyName=some text to the screen

XXX.xml - I am assuming that I have to have at least one xml:lang="en"
as a value
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <property key="keyName">
        <value xml:lang="en">some text to the screen</value>
    </property>
</resource>


Jacques Le Roux wrote:

> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
> 2d thing : we don't allow HTML in labels (actually there are still
> some, but it should not at term apart some special cases like the
> famous CommonEmpty)
>
> I think you will have to create a specific worker for that, ie no
> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
> but using something like
> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
> where renderUiLabelMap returns a stringBuilder embedding the original
> String
> I can see any other means maybe there are and someone will suggest you
> something easier.
>
> Jacques
>
> From: "Stephen Rufle" <[hidden email]>
>> In the ftl I use
>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>
>> Does this process get passed through some class that I can change and
>> send a patch for? Then all properties could embed HTML
>>
>> Jacques Le Roux wrote:
>>> As David explains below you have to embed the String you create (I
>>> suppose reading the property) into a StringBuilder
>>>
>>> Jacques
>>>
>>> From: "Stephen Rufle" <[hidden email]>
>>>> I think I have a related issue to this. I have .properties files with
>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>> content of my labels to break two words.
>>>>
>>>> ex.
>>>> "Cust.<br>Order# "
>>>> would turn into
>>>> "
>>>> Cust.
>>>> Order#
>>>> "
>>>> on my display, now it sends it literally. How do I get the old
>>>> behavior
>>>> back?
>>>>
>>>> David E Jones wrote:
>>>>>
>>>>> Have you been following the discussion on the mailing lists about the
>>>>> XSS/etc prevention efforts?
>>>>>
>>>>> As a general practice when you run into things like this you can
>>>>> usually find your answer pretty quickly by looking at commit logs,
>>>>> and
>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>> you are trying to do. In this case, for example looking at the
>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>> give you an example of how to handle this now.
>>>>>
>>>>> The important thing to know is that now all String objects are
>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>> it, just use anything other than a String object. The normal way
>>>>> to do
>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>> then just leave it as a StringBuilder instead of calling
>>>>> toString() on
>>>>> it before putting it in the context. Then it won't get HTML
>>>>> encoded...
>>>>>
>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>> file. If you are dynamically generating any sort of text a template
>>>>> file is usually the best tool to use and results in the cleanest and
>>>>> easiest to maintain code.
>>>>>
>>>>> And as a bonus, you'll avoid this encoding issue too. In fact,
>>>>> part of
>>>>> the decision to do this general encoding is to encourage the practice
>>>>> of using templates for what they are meant to be used for.
>>>>>
>>>>> Best of luck,
>>>>> -David
>>>>>
>>>>>
>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>
>>>>>> A precision :
>>>>>>
>>>>>> *** Error comes from Groovy
>>>>>> Because I have the problem only with generated Javascript script
>>>>>> with
>>>>>> Groovy.
>>>>>>
>>>>>> An idea ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Eric
>>>>>> ----- Original Message ----- From: "Eric DE MAULDE"
>>>>>> <[hidden email]>
>>>>>> To: <[hidden email]>
>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I updated my working copy
>>>>>>
>>>>>> *** Now all javascript are parsed to HTML (and appear in screen,
>>>>>> just
>>>>>> for my own application, Ecommerce is OK)
>>>>>> Script tags are ok.
>>>>>> Ex. in source :
>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>> Do you know where I can configure Freemarker ?
>>>>>>
>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>
>>>>>> Eric
>>>>>
>>>>>
>>>>>

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Maybe an option for you is to try to comment out lines 71-73 of HtmlWidget.java

Jacques

From: "Jacques Le Roux" <[hidden email]>

> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
> 2d thing : we don't allow HTML in labels (actually there are still some, but it should not at term apart some special cases like
> the famous CommonEmpty)
>
> I think you will have to create a specific worker for that, ie no longer render your strings as
> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
> but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where
> renderUiLabelMap returns a stringBuilder embedding the original String
> I can see any other means maybe there are and someone will suggest you something easier.
>
> Jacques
>
> From: "Stephen Rufle" <[hidden email]>
>> In the ftl I use
>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>
>> Does this process get passed through some class that I can change and
>> send a patch for? Then all properties could embed HTML
>>
>> Jacques Le Roux wrote:
>>> As David explains below you have to embed the String you create (I
>>> suppose reading the property) into a StringBuilder
>>>
>>> Jacques
>>>
>>> From: "Stephen Rufle" <[hidden email]>
>>>> I think I have a related issue to this. I have .properties files with
>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>> content of my labels to break two words.
>>>>
>>>> ex.
>>>> "Cust.<br>Order# "
>>>> would turn into
>>>> "
>>>> Cust.
>>>> Order#
>>>> "
>>>> on my display, now it sends it literally. How do I get the old behavior
>>>> back?
>>>>
>>>> David E Jones wrote:
>>>>>
>>>>> Have you been following the discussion on the mailing lists about the
>>>>> XSS/etc prevention efforts?
>>>>>
>>>>> As a general practice when you run into things like this you can
>>>>> usually find your answer pretty quickly by looking at commit logs, and
>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>> you are trying to do. In this case, for example looking at the
>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>> give you an example of how to handle this now.
>>>>>
>>>>> The important thing to know is that now all String objects are
>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>> it, just use anything other than a String object. The normal way to do
>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>> then just leave it as a StringBuilder instead of calling toString() on
>>>>> it before putting it in the context. Then it won't get HTML encoded...
>>>>>
>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>> file. If you are dynamically generating any sort of text a template
>>>>> file is usually the best tool to use and results in the cleanest and
>>>>> easiest to maintain code.
>>>>>
>>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of
>>>>> the decision to do this general encoding is to encourage the practice
>>>>> of using templates for what they are meant to be used for.
>>>>>
>>>>> Best of luck,
>>>>> -David
>>>>>
>>>>>
>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>
>>>>>> A precision :
>>>>>>
>>>>>> *** Error comes from Groovy
>>>>>> Because I have the problem only with generated Javascript script with
>>>>>> Groovy.
>>>>>>
>>>>>> An idea ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Eric
>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]>
>>>>>> To: <[hidden email]>
>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I updated my working copy
>>>>>>
>>>>>> *** Now all javascript are parsed to HTML (and appear in screen, just
>>>>>> for my own application, Ecommerce is OK)
>>>>>> Script tags are ok.
>>>>>> Ex. in source :
>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>> Do you know where I can configure Freemarker ?
>>>>>>
>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>
>>>>>> Eric
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Stephen P Rufle
>>>> [hidden email]
>>>> H1:480-626-8022
>>>> H2:480-802-7173
>>>> Yahoo IM: stephen_rufle
>>>> AOL IM: stephen1rufle
>>>>
>>>
>>>
>>>
>>
>> --
>> Stephen P Rufle
>> [hidden email]
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Adrian Crum
In reply to this post by Stephen Rufle-2
Keeping HTML out of UI labels isn't a "rule" - it is a "best practice."
The reason is reusability - you can reuse the UI label in a non-HTML
environment.

-Adrian

Stephen Rufle wrote:

> Ok, If I convert to using XXX.xml instead of XXX.properties will be able
> to embed the HTML, or is the general rule that no properties are allowed
> to have HTML in them otherwise they get encoded on the way out to the
> screen?
>
> Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to
> work from
>
> so what used to be
>
> XXX.properties
> keyName=some text to the screen
>
> XXX.xml - I am assuming that I have to have at least one xml:lang="en"
> as a value
> <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>     <property key="keyName">
>         <value xml:lang="en">some text to the screen</value>
>     </property>
> </resource>
>
>
> Jacques Le Roux wrote:
>> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
>> 2d thing : we don't allow HTML in labels (actually there are still
>> some, but it should not at term apart some special cases like the
>> famous CommonEmpty)
>>
>> I think you will have to create a specific worker for that, ie no
>> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>> but using something like
>> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
>> where renderUiLabelMap returns a stringBuilder embedding the original
>> String
>> I can see any other means maybe there are and someone will suggest you
>> something easier.
>>
>> Jacques
>>
>> From: "Stephen Rufle" <[hidden email]>
>>> In the ftl I use
>>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>>
>>> Does this process get passed through some class that I can change and
>>> send a patch for? Then all properties could embed HTML
>>>
>>> Jacques Le Roux wrote:
>>>> As David explains below you have to embed the String you create (I
>>>> suppose reading the property) into a StringBuilder
>>>>
>>>> Jacques
>>>>
>>>> From: "Stephen Rufle" <[hidden email]>
>>>>> I think I have a related issue to this. I have .properties files with
>>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>>> content of my labels to break two words.
>>>>>
>>>>> ex.
>>>>> "Cust.<br>Order# "
>>>>> would turn into
>>>>> "
>>>>> Cust.
>>>>> Order#
>>>>> "
>>>>> on my display, now it sends it literally. How do I get the old
>>>>> behavior
>>>>> back?
>>>>>
>>>>> David E Jones wrote:
>>>>>> Have you been following the discussion on the mailing lists about the
>>>>>> XSS/etc prevention efforts?
>>>>>>
>>>>>> As a general practice when you run into things like this you can
>>>>>> usually find your answer pretty quickly by looking at commit logs,
>>>>>> and
>>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>>> you are trying to do. In this case, for example looking at the
>>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>>> give you an example of how to handle this now.
>>>>>>
>>>>>> The important thing to know is that now all String objects are
>>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>>> it, just use anything other than a String object. The normal way
>>>>>> to do
>>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>>> then just leave it as a StringBuilder instead of calling
>>>>>> toString() on
>>>>>> it before putting it in the context. Then it won't get HTML
>>>>>> encoded...
>>>>>>
>>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>>> file. If you are dynamically generating any sort of text a template
>>>>>> file is usually the best tool to use and results in the cleanest and
>>>>>> easiest to maintain code.
>>>>>>
>>>>>> And as a bonus, you'll avoid this encoding issue too. In fact,
>>>>>> part of
>>>>>> the decision to do this general encoding is to encourage the practice
>>>>>> of using templates for what they are meant to be used for.
>>>>>>
>>>>>> Best of luck,
>>>>>> -David
>>>>>>
>>>>>>
>>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>>
>>>>>>> A precision :
>>>>>>>
>>>>>>> *** Error comes from Groovy
>>>>>>> Because I have the problem only with generated Javascript script
>>>>>>> with
>>>>>>> Groovy.
>>>>>>>
>>>>>>> An idea ?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Eric
>>>>>>> ----- Original Message ----- From: "Eric DE MAULDE"
>>>>>>> <[hidden email]>
>>>>>>> To: <[hidden email]>
>>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I updated my working copy
>>>>>>>
>>>>>>> *** Now all javascript are parsed to HTML (and appear in screen,
>>>>>>> just
>>>>>>> for my own application, Ecommerce is OK)
>>>>>>> Script tags are ok.
>>>>>>> Ex. in source :
>>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>>> Do you know where I can configure Freemarker ?
>>>>>>>
>>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>>
>>>>>>> Eric
>>>>>>
>>>>>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

Jacques Le Roux
Administrator
In reply to this post by Stephen Rufle-2
Ok, it's late here so don't expect an answer before some hours...
Which Release.revision are you using, trunk I guess ?

Jacques
PS : see also my suggestion about StringHtmlWrapperForFtl, and maybe make it works for you ;o)

From: "Stephen Rufle" <[hidden email]>

> Ok, If I convert to using XXX.xml instead of XXX.properties will be able
> to embed the HTML, or is the general rule that no properties are allowed
> to have HTML in them otherwise they get encoded on the way out to the
> screen?
>
> Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to
> work from
>
> so what used to be
>
> XXX.properties
> keyName=some text to the screen
>
> XXX.xml - I am assuming that I have to have at least one xml:lang="en"
> as a value
> <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>    <property key="keyName">
>        <value xml:lang="en">some text to the screen</value>
>    </property>
> </resource>
>
>
> Jacques Le Roux wrote:
>> 1st thing : OFBiz trunk no longer uses .properties files but .xml files
>> 2d thing : we don't allow HTML in labels (actually there are still
>> some, but it should not at term apart some special cases like the
>> famous CommonEmpty)
>>
>> I think you will have to create a specific worker for that, ie no
>> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>> but using something like
>> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}")
>> where renderUiLabelMap returns a stringBuilder embedding the original
>> String
>> I can see any other means maybe there are and someone will suggest you
>> something easier.
>>
>> Jacques
>>
>> From: "Stephen Rufle" <[hidden email]>
>>> In the ftl I use
>>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>>
>>> Does this process get passed through some class that I can change and
>>> send a patch for? Then all properties could embed HTML
>>>
>>> Jacques Le Roux wrote:
>>>> As David explains below you have to embed the String you create (I
>>>> suppose reading the property) into a StringBuilder
>>>>
>>>> Jacques
>>>>
>>>> From: "Stephen Rufle" <[hidden email]>
>>>>> I think I have a related issue to this. I have .properties files with
>>>>> table headings in them. I used to be able to put a br tag <br> in the
>>>>> content of my labels to break two words.
>>>>>
>>>>> ex.
>>>>> "Cust.<br>Order# "
>>>>> would turn into
>>>>> "
>>>>> Cust.
>>>>> Order#
>>>>> "
>>>>> on my display, now it sends it literally. How do I get the old
>>>>> behavior
>>>>> back?
>>>>>
>>>>> David E Jones wrote:
>>>>>>
>>>>>> Have you been following the discussion on the mailing lists about the
>>>>>> XSS/etc prevention efforts?
>>>>>>
>>>>>> As a general practice when you run into things like this you can
>>>>>> usually find your answer pretty quickly by looking at commit logs,
>>>>>> and
>>>>>> by looking at code in OOTB OFBiz that does something similar to what
>>>>>> you are trying to do. In this case, for example looking at the
>>>>>> productdetail screen and the groovy and ftl files that it uses will
>>>>>> give you an example of how to handle this now.
>>>>>>
>>>>>> The important thing to know is that now all String objects are
>>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid
>>>>>> it, just use anything other than a String object. The normal way
>>>>>> to do
>>>>>> this is to create your script dynamically using a StringBuilder, and
>>>>>> then just leave it as a StringBuilder instead of calling
>>>>>> toString() on
>>>>>> it before putting it in the context. Then it won't get HTML
>>>>>> encoded...
>>>>>>
>>>>>> On a side note, I know that the OOTB code isn't the best example of
>>>>>> this, but usually it is best to generate your JavaScript in the FTL
>>>>>> file. If you are dynamically generating any sort of text a template
>>>>>> file is usually the best tool to use and results in the cleanest and
>>>>>> easiest to maintain code.
>>>>>>
>>>>>> And as a bonus, you'll avoid this encoding issue too. In fact,
>>>>>> part of
>>>>>> the decision to do this general encoding is to encourage the practice
>>>>>> of using templates for what they are meant to be used for.
>>>>>>
>>>>>> Best of luck,
>>>>>> -David
>>>>>>
>>>>>>
>>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>>
>>>>>>> A precision :
>>>>>>>
>>>>>>> *** Error comes from Groovy
>>>>>>> Because I have the problem only with generated Javascript script
>>>>>>> with
>>>>>>> Groovy.
>>>>>>>
>>>>>>> An idea ?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Eric
>>>>>>> ----- Original Message ----- From: "Eric DE MAULDE"
>>>>>>> <[hidden email]>
>>>>>>> To: <[hidden email]>
>>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I updated my working copy
>>>>>>>
>>>>>>> *** Now all javascript are parsed to HTML (and appear in screen,
>>>>>>> just
>>>>>>> for my own application, Ecommerce is OK)
>>>>>>> Script tags are ok.
>>>>>>> Ex. in source :
>>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>>> Do you know where I can configure Freemarker ?
>>>>>>>
>>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>>
>>>>>>> Eric
>>>>>>
>>>>>>
>>>>>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Javascript is parsed to HTML (Freemarker ?)

David E Jones-3
In reply to this post by Jacques Le Roux

There is a solution to this already in place, and it is used in a few  
places. Take a look at the promotiondetails.ftl file, especially the  
expression:

${StringUtil.wrapString(productPromo.promoText?if_exists)}

BTW, this should ONLY be used for very trusted fields, ie fields that  
never have information that come from a non-trusted user.

As for the uiLabelMap expressions, I like the fact that all possible  
HTML characters are encoded before sending it to the browser... it  
encourages the best practice and at the same time avoids issues where  
things come out in an unexpected way.

-David


On Mar 4, 2009, at 1:15 PM, Jacques Le Roux wrote:

> 1st thing : OFBiz trunk no longer uses .properties files but .xml  
> files
> 2d thing : we don't allow HTML in labels (actually there are still  
> some, but it should not at term apart some special cases like the  
> famous CommonEmpty)
>
> I think you will have to create a specific worker for that, ie no  
> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
> but using something like  
> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("$
> {uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where renderUiLabelMap  
> returns a stringBuilder embedding the original String
> I can see any other means maybe there are and someone will suggest  
> you something easier.
>
> Jacques
>
> From: "Stephen Rufle" <[hidden email]>
>> In the ftl I use
>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}
>>
>> Does this process get passed through some class that I can change and
>> send a patch for? Then all properties could embed HTML
>>
>> Jacques Le Roux wrote:
>>> As David explains below you have to embed the String you create (I
>>> suppose reading the property) into a StringBuilder
>>>
>>> Jacques
>>>
>>> From: "Stephen Rufle" <[hidden email]>
>>>> I think I have a related issue to this. I have .properties files  
>>>> with
>>>> table headings in them. I used to be able to put a br tag <br> in  
>>>> the
>>>> content of my labels to break two words.
>>>>
>>>> ex.
>>>> "Cust.<br>Order# "
>>>> would turn into
>>>> "
>>>> Cust.
>>>> Order#
>>>> "
>>>> on my display, now it sends it literally. How do I get the old  
>>>> behavior
>>>> back?
>>>>
>>>> David E Jones wrote:
>>>>>
>>>>> Have you been following the discussion on the mailing lists  
>>>>> about the
>>>>> XSS/etc prevention efforts?
>>>>>
>>>>> As a general practice when you run into things like this you can
>>>>> usually find your answer pretty quickly by looking at commit  
>>>>> logs, and
>>>>> by looking at code in OOTB OFBiz that does something similar to  
>>>>> what
>>>>> you are trying to do. In this case, for example looking at the
>>>>> productdetail screen and the groovy and ftl files that it uses  
>>>>> will
>>>>> give you an example of how to handle this now.
>>>>>
>>>>> The important thing to know is that now all String objects are
>>>>> automatically HTML encoded (using the OWASP ESAPI library). To  
>>>>> avoid
>>>>> it, just use anything other than a String object. The normal way  
>>>>> to do
>>>>> this is to create your script dynamically using a StringBuilder,  
>>>>> and
>>>>> then just leave it as a StringBuilder instead of calling  
>>>>> toString() on
>>>>> it before putting it in the context. Then it won't get HTML  
>>>>> encoded...
>>>>>
>>>>> On a side note, I know that the OOTB code isn't the best example  
>>>>> of
>>>>> this, but usually it is best to generate your JavaScript in the  
>>>>> FTL
>>>>> file. If you are dynamically generating any sort of text a  
>>>>> template
>>>>> file is usually the best tool to use and results in the cleanest  
>>>>> and
>>>>> easiest to maintain code.
>>>>>
>>>>> And as a bonus, you'll avoid this encoding issue too. In fact,  
>>>>> part of
>>>>> the decision to do this general encoding is to encourage the  
>>>>> practice
>>>>> of using templates for what they are meant to be used for.
>>>>>
>>>>> Best of luck,
>>>>> -David
>>>>>
>>>>>
>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:
>>>>>
>>>>>> A precision :
>>>>>>
>>>>>> *** Error comes from Groovy
>>>>>> Because I have the problem only with generated Javascript  
>>>>>> script with
>>>>>> Groovy.
>>>>>>
>>>>>> An idea ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Eric
>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]
>>>>>> >
>>>>>> To: <[hidden email]>
>>>>>> Sent: Monday, February 16, 2009 6:24 PM
>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?)
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I updated my working copy
>>>>>>
>>>>>> *** Now all javascript are parsed to HTML (and appear in  
>>>>>> screen, just
>>>>>> for my own application, Ecommerce is OK)
>>>>>> Script tags are ok.
>>>>>> Ex. in source :
>>>>>> &lt;script language&#61;&quot;JavaScript&quot;
>>>>>> type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
>>>>>> Do you know where I can configure Freemarker ?
>>>>>>
>>>>>> In HTML head tag, some chars are parsed too.
>>>>>>
>>>>>> Eric
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Stephen P Rufle
>>>> [hidden email]
>>>> H1:480-626-8022
>>>> H2:480-802-7173
>>>> Yahoo IM: stephen_rufle
>>>> AOL IM: stephen1rufle
>>>>
>>>
>>>
>>>
>>
>> --
>> Stephen P Rufle
>> [hidden email]
>> H1:480-626-8022
>> H2:480-802-7173
>> Yahoo IM: stephen_rufle
>> AOL IM: stephen1rufle
>
>