Javascript is parsed to HTML (Freemarker ?)
Locked
Javascript is parsed to HTML (Freemarker ?)
 
|
Hi,
I updated my working copy *** Now all javascript are parsed to HTML (and appear in screen, just for my own application, Ecommerce is OK) Script tags are ok. Ex. in source : <script language="JavaScript" type="text/javascript"><!-- Do you know where I can configure Freemarker ? In HTML head tag, some chars are parsed too. Eric |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
A precision :
*** Error comes from Groovy Because I have the problem only with generated Javascript script with Groovy. An idea ? Thanks Eric ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> To: <[hidden email]> Sent: Monday, February 16, 2009 6:24 PM Subject: Javascript is parsed to HTML (Freemarker ?) Hi, I updated my working copy *** Now all javascript are parsed to HTML (and appear in screen, just for my own application, Ecommerce is OK) Script tags are ok. Ex. in source : <script language="JavaScript" type="text/javascript"><!-- Do you know where I can configure Freemarker ? In HTML head tag, some chars are parsed too. Eric |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
Have you been following the discussion on the mailing lists about the XSS/etc prevention efforts? As a general practice when you run into things like this you can usually find your answer pretty quickly by looking at commit logs, and by looking at code in OOTB OFBiz that does something similar to what you are trying to do. In this case, for example looking at the productdetail screen and the groovy and ftl files that it uses will give you an example of how to handle this now. The important thing to know is that now all String objects are automatically HTML encoded (using the OWASP ESAPI library). To avoid it, just use anything other than a String object. The normal way to do this is to create your script dynamically using a StringBuilder, and then just leave it as a StringBuilder instead of calling toString() on it before putting it in the context. Then it won't get HTML encoded... On a side note, I know that the OOTB code isn't the best example of this, but usually it is best to generate your JavaScript in the FTL file. If you are dynamically generating any sort of text a template file is usually the best tool to use and results in the cleanest and easiest to maintain code. And as a bonus, you'll avoid this encoding issue too. In fact, part of the decision to do this general encoding is to encourage the practice of using templates for what they are meant to be used for. Best of luck, -David On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: > A precision : > > *** Error comes from Groovy > Because I have the problem only with generated Javascript script > with Groovy. > > An idea ? > > Thanks > > Eric > ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> > To: <[hidden email]> > Sent: Monday, February 16, 2009 6:24 PM > Subject: Javascript is parsed to HTML (Freemarker ?) > > > Hi, > > I updated my working copy > > *** Now all javascript are parsed to HTML (and appear in screen, > just for my own application, Ecommerce is OK) > Script tags are ok. > Ex. in source : > <script language="JavaScript" > type="text/javascript"><!-- > Do you know where I can configure Freemarker ? > > In HTML head tag, some chars are parsed too. > > Eric |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
David,
Thank you so much You have got me out of a spot Sorry, I'm not regular Eric ----- Original Message ----- From: "David E Jones" <[hidden email]> To: <[hidden email]> Sent: Monday, February 16, 2009 11:34 PM Subject: Re: Javascript is parsed to HTML (Freemarker ?) > > Have you been following the discussion on the mailing lists about the > XSS/etc prevention efforts? > > As a general practice when you run into things like this you can > usually find your answer pretty quickly by looking at commit logs, and > by looking at code in OOTB OFBiz that does something similar to what > you are trying to do. In this case, for example looking at the > productdetail screen and the groovy and ftl files that it uses will > give you an example of how to handle this now. > > The important thing to know is that now all String objects are > automatically HTML encoded (using the OWASP ESAPI library). To avoid > it, just use anything other than a String object. The normal way to do > this is to create your script dynamically using a StringBuilder, and > then just leave it as a StringBuilder instead of calling toString() on > it before putting it in the context. Then it won't get HTML encoded... > > On a side note, I know that the OOTB code isn't the best example of > this, but usually it is best to generate your JavaScript in the FTL > file. If you are dynamically generating any sort of text a template > file is usually the best tool to use and results in the cleanest and > easiest to maintain code. > > And as a bonus, you'll avoid this encoding issue too. In fact, part of > the decision to do this general encoding is to encourage the practice > of using templates for what they are meant to be used for. > > Best of luck, > -David > > > On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: > >> A precision : >> >> *** Error comes from Groovy >> Because I have the problem only with generated Javascript script >> with Groovy. >> >> An idea ? >> >> Thanks >> >> Eric >> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >> To: <[hidden email]> >> Sent: Monday, February 16, 2009 6:24 PM >> Subject: Javascript is parsed to HTML (Freemarker ?) >> >> >> Hi, >> >> I updated my working copy >> >> *** Now all javascript are parsed to HTML (and appear in screen, >> just for my own application, Ecommerce is OK) >> Script tags are ok. >> Ex. in source : >> <script language="JavaScript" >> type="text/javascript"><!-- >> Do you know where I can configure Freemarker ? >> >> In HTML head tag, some chars are parsed too. >> >> Eric > > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
In reply to this post by David E Jones-3
I think I have a related issue to this. I have .properties files with
table headings in them. I used to be able to put a br tag <br> in the content of my labels to break two words. ex. "Cust.<br>Order# " would turn into " Cust. Order# " on my display, now it sends it literally. How do I get the old behavior back? David E Jones wrote: > > Have you been following the discussion on the mailing lists about the > XSS/etc prevention efforts? > > As a general practice when you run into things like this you can > usually find your answer pretty quickly by looking at commit logs, and > by looking at code in OOTB OFBiz that does something similar to what > you are trying to do. In this case, for example looking at the > productdetail screen and the groovy and ftl files that it uses will > give you an example of how to handle this now. > > The important thing to know is that now all String objects are > automatically HTML encoded (using the OWASP ESAPI library). To avoid > it, just use anything other than a String object. The normal way to do > this is to create your script dynamically using a StringBuilder, and > then just leave it as a StringBuilder instead of calling toString() on > it before putting it in the context. Then it won't get HTML encoded... > > On a side note, I know that the OOTB code isn't the best example of > this, but usually it is best to generate your JavaScript in the FTL > file. If you are dynamically generating any sort of text a template > file is usually the best tool to use and results in the cleanest and > easiest to maintain code. > > And as a bonus, you'll avoid this encoding issue too. In fact, part of > the decision to do this general encoding is to encourage the practice > of using templates for what they are meant to be used for. > > Best of luck, > -David > > > On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: > >> A precision : >> >> *** Error comes from Groovy >> Because I have the problem only with generated Javascript script with >> Groovy. >> >> An idea ? >> >> Thanks >> >> Eric >> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >> To: <[hidden email]> >> Sent: Monday, February 16, 2009 6:24 PM >> Subject: Javascript is parsed to HTML (Freemarker ?) >> >> >> Hi, >> >> I updated my working copy >> >> *** Now all javascript are parsed to HTML (and appear in screen, just >> for my own application, Ecommerce is OK) >> Script tags are ok. >> Ex. in source : >> <script language="JavaScript" >> type="text/javascript"><!-- >> Do you know where I can configure Freemarker ? >> >> In HTML head tag, some chars are parsed too. >> >> Eric > > > -- Stephen P Rufle [hidden email] H1:480-626-8022 H2:480-802-7173 Yahoo IM: stephen_rufle AOL IM: stephen1rufle |
Re: Javascript is parsed to HTML (Freemarker ?)
Administrator
|
As David explains below you have to embed the String you create (I suppose reading the property) into a StringBuilder
Jacques From: "Stephen Rufle" <[hidden email]> >I think I have a related issue to this. I have .properties files with > table headings in them. I used to be able to put a br tag <br> in the > content of my labels to break two words. > > ex. > "Cust.<br>Order# " > would turn into > " > Cust. > Order# > " > on my display, now it sends it literally. How do I get the old behavior > back? > > David E Jones wrote: >> >> Have you been following the discussion on the mailing lists about the >> XSS/etc prevention efforts? >> >> As a general practice when you run into things like this you can >> usually find your answer pretty quickly by looking at commit logs, and >> by looking at code in OOTB OFBiz that does something similar to what >> you are trying to do. In this case, for example looking at the >> productdetail screen and the groovy and ftl files that it uses will >> give you an example of how to handle this now. >> >> The important thing to know is that now all String objects are >> automatically HTML encoded (using the OWASP ESAPI library). To avoid >> it, just use anything other than a String object. The normal way to do >> this is to create your script dynamically using a StringBuilder, and >> then just leave it as a StringBuilder instead of calling toString() on >> it before putting it in the context. Then it won't get HTML encoded... >> >> On a side note, I know that the OOTB code isn't the best example of >> this, but usually it is best to generate your JavaScript in the FTL >> file. If you are dynamically generating any sort of text a template >> file is usually the best tool to use and results in the cleanest and >> easiest to maintain code. >> >> And as a bonus, you'll avoid this encoding issue too. In fact, part of >> the decision to do this general encoding is to encourage the practice >> of using templates for what they are meant to be used for. >> >> Best of luck, >> -David >> >> >> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >> >>> A precision : >>> >>> *** Error comes from Groovy >>> Because I have the problem only with generated Javascript script with >>> Groovy. >>> >>> An idea ? >>> >>> Thanks >>> >>> Eric >>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >>> To: <[hidden email]> >>> Sent: Monday, February 16, 2009 6:24 PM >>> Subject: Javascript is parsed to HTML (Freemarker ?) >>> >>> >>> Hi, >>> >>> I updated my working copy >>> >>> *** Now all javascript are parsed to HTML (and appear in screen, just >>> for my own application, Ecommerce is OK) >>> Script tags are ok. >>> Ex. in source : >>> <script language="JavaScript" >>> type="text/javascript"><!-- >>> Do you know where I can configure Freemarker ? >>> >>> In HTML head tag, some chars are parsed too. >>> >>> Eric >> >> >> > > -- > Stephen P Rufle > [hidden email] > H1:480-626-8022 > H2:480-802-7173 > Yahoo IM: stephen_rufle > AOL IM: stephen1rufle > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
In the ftl I use
${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} Does this process get passed through some class that I can change and send a patch for? Then all properties could embed HTML Jacques Le Roux wrote: > As David explains below you have to embed the String you create (I > suppose reading the property) into a StringBuilder > > Jacques > > From: "Stephen Rufle" <[hidden email]> >> I think I have a related issue to this. I have .properties files with >> table headings in them. I used to be able to put a br tag <br> in the >> content of my labels to break two words. >> >> ex. >> "Cust.<br>Order# " >> would turn into >> " >> Cust. >> Order# >> " >> on my display, now it sends it literally. How do I get the old behavior >> back? >> >> David E Jones wrote: >>> >>> Have you been following the discussion on the mailing lists about the >>> XSS/etc prevention efforts? >>> >>> As a general practice when you run into things like this you can >>> usually find your answer pretty quickly by looking at commit logs, and >>> by looking at code in OOTB OFBiz that does something similar to what >>> you are trying to do. In this case, for example looking at the >>> productdetail screen and the groovy and ftl files that it uses will >>> give you an example of how to handle this now. >>> >>> The important thing to know is that now all String objects are >>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>> it, just use anything other than a String object. The normal way to do >>> this is to create your script dynamically using a StringBuilder, and >>> then just leave it as a StringBuilder instead of calling toString() on >>> it before putting it in the context. Then it won't get HTML encoded... >>> >>> On a side note, I know that the OOTB code isn't the best example of >>> this, but usually it is best to generate your JavaScript in the FTL >>> file. If you are dynamically generating any sort of text a template >>> file is usually the best tool to use and results in the cleanest and >>> easiest to maintain code. >>> >>> And as a bonus, you'll avoid this encoding issue too. In fact, part of >>> the decision to do this general encoding is to encourage the practice >>> of using templates for what they are meant to be used for. >>> >>> Best of luck, >>> -David >>> >>> >>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>> >>>> A precision : >>>> >>>> *** Error comes from Groovy >>>> Because I have the problem only with generated Javascript script with >>>> Groovy. >>>> >>>> An idea ? >>>> >>>> Thanks >>>> >>>> Eric >>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >>>> To: <[hidden email]> >>>> Sent: Monday, February 16, 2009 6:24 PM >>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>> >>>> >>>> Hi, >>>> >>>> I updated my working copy >>>> >>>> *** Now all javascript are parsed to HTML (and appear in screen, just >>>> for my own application, Ecommerce is OK) >>>> Script tags are ok. >>>> Ex. in source : >>>> <script language="JavaScript" >>>> type="text/javascript"><!-- >>>> Do you know where I can configure Freemarker ? >>>> >>>> In HTML head tag, some chars are parsed too. >>>> >>>> Eric >>> >>> >>> >> >> -- >> Stephen P Rufle >> [hidden email] >> H1:480-626-8022 >> H2:480-802-7173 >> Yahoo IM: stephen_rufle >> AOL IM: stephen1rufle >> > > > -- Stephen P Rufle [hidden email] H1:480-626-8022 H2:480-802-7173 Yahoo IM: stephen_rufle AOL IM: stephen1rufle |
Re: Javascript is parsed to HTML (Freemarker ?)
|
Administrator
|
1st thing : OFBiz trunk no longer uses .properties files but .xml files
2d thing : we don't allow HTML in labels (actually there are still some, but it should not at term apart some special cases like the famous CommonEmpty) I think you will have to create a specific worker for that, ie no longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where renderUiLabelMap returns a stringBuilder embedding the original String I can see any other means maybe there are and someone will suggest you something easier. Jacques From: "Stephen Rufle" <[hidden email]> > In the ftl I use > ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} > > Does this process get passed through some class that I can change and > send a patch for? Then all properties could embed HTML > > Jacques Le Roux wrote: >> As David explains below you have to embed the String you create (I >> suppose reading the property) into a StringBuilder >> >> Jacques >> >> From: "Stephen Rufle" <[hidden email]> >>> I think I have a related issue to this. I have .properties files with >>> table headings in them. I used to be able to put a br tag <br> in the >>> content of my labels to break two words. >>> >>> ex. >>> "Cust.<br>Order# " >>> would turn into >>> " >>> Cust. >>> Order# >>> " >>> on my display, now it sends it literally. How do I get the old behavior >>> back? >>> >>> David E Jones wrote: >>>> >>>> Have you been following the discussion on the mailing lists about the >>>> XSS/etc prevention efforts? >>>> >>>> As a general practice when you run into things like this you can >>>> usually find your answer pretty quickly by looking at commit logs, and >>>> by looking at code in OOTB OFBiz that does something similar to what >>>> you are trying to do. In this case, for example looking at the >>>> productdetail screen and the groovy and ftl files that it uses will >>>> give you an example of how to handle this now. >>>> >>>> The important thing to know is that now all String objects are >>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>>> it, just use anything other than a String object. The normal way to do >>>> this is to create your script dynamically using a StringBuilder, and >>>> then just leave it as a StringBuilder instead of calling toString() on >>>> it before putting it in the context. Then it won't get HTML encoded... >>>> >>>> On a side note, I know that the OOTB code isn't the best example of >>>> this, but usually it is best to generate your JavaScript in the FTL >>>> file. If you are dynamically generating any sort of text a template >>>> file is usually the best tool to use and results in the cleanest and >>>> easiest to maintain code. >>>> >>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of >>>> the decision to do this general encoding is to encourage the practice >>>> of using templates for what they are meant to be used for. >>>> >>>> Best of luck, >>>> -David >>>> >>>> >>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>> >>>>> A precision : >>>>> >>>>> *** Error comes from Groovy >>>>> Because I have the problem only with generated Javascript script with >>>>> Groovy. >>>>> >>>>> An idea ? >>>>> >>>>> Thanks >>>>> >>>>> Eric >>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >>>>> To: <[hidden email]> >>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>> >>>>> >>>>> Hi, >>>>> >>>>> I updated my working copy >>>>> >>>>> *** Now all javascript are parsed to HTML (and appear in screen, just >>>>> for my own application, Ecommerce is OK) >>>>> Script tags are ok. >>>>> Ex. in source : >>>>> <script language="JavaScript" >>>>> type="text/javascript"><!-- >>>>> Do you know where I can configure Freemarker ? >>>>> >>>>> In HTML head tag, some chars are parsed too. >>>>> >>>>> Eric >>>> >>>> >>>> >>> >>> -- >>> Stephen P Rufle >>> [hidden email] >>> H1:480-626-8022 >>> H2:480-802-7173 >>> Yahoo IM: stephen_rufle >>> AOL IM: stephen1rufle >>> >> >> >> > > -- > Stephen P Rufle > [hidden email] > H1:480-626-8022 > H2:480-802-7173 > Yahoo IM: stephen_rufle > AOL IM: stephen1rufle > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
Ok, If I convert to using XXX.xml instead of XXX.properties will be able
to embed the HTML, or is the general rule that no properties are allowed to have HTML in them otherwise they get encoded on the way out to the screen? Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to work from so what used to be XXX.properties keyName=some text to the screen XXX.xml - I am assuming that I have to have at least one xml:lang="en" as a value <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <property key="keyName"> <value xml:lang="en">some text to the screen</value> </property> </resource> Jacques Le Roux wrote: > 1st thing : OFBiz trunk no longer uses .properties files but .xml files > 2d thing : we don't allow HTML in labels (actually there are still > some, but it should not at term apart some special cases like the > famous CommonEmpty) > > I think you will have to create a specific worker for that, ie no > longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} > but using something like > Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") > where renderUiLabelMap returns a stringBuilder embedding the original > String > I can see any other means maybe there are and someone will suggest you > something easier. > > Jacques > > From: "Stephen Rufle" <[hidden email]> >> In the ftl I use >> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >> >> Does this process get passed through some class that I can change and >> send a patch for? Then all properties could embed HTML >> >> Jacques Le Roux wrote: >>> As David explains below you have to embed the String you create (I >>> suppose reading the property) into a StringBuilder >>> >>> Jacques >>> >>> From: "Stephen Rufle" <[hidden email]> >>>> I think I have a related issue to this. I have .properties files with >>>> table headings in them. I used to be able to put a br tag <br> in the >>>> content of my labels to break two words. >>>> >>>> ex. >>>> "Cust.<br>Order# " >>>> would turn into >>>> " >>>> Cust. >>>> Order# >>>> " >>>> on my display, now it sends it literally. How do I get the old >>>> behavior >>>> back? >>>> >>>> David E Jones wrote: >>>>> >>>>> Have you been following the discussion on the mailing lists about the >>>>> XSS/etc prevention efforts? >>>>> >>>>> As a general practice when you run into things like this you can >>>>> usually find your answer pretty quickly by looking at commit logs, >>>>> and >>>>> by looking at code in OOTB OFBiz that does something similar to what >>>>> you are trying to do. In this case, for example looking at the >>>>> productdetail screen and the groovy and ftl files that it uses will >>>>> give you an example of how to handle this now. >>>>> >>>>> The important thing to know is that now all String objects are >>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>>>> it, just use anything other than a String object. The normal way >>>>> to do >>>>> this is to create your script dynamically using a StringBuilder, and >>>>> then just leave it as a StringBuilder instead of calling >>>>> toString() on >>>>> it before putting it in the context. Then it won't get HTML >>>>> encoded... >>>>> >>>>> On a side note, I know that the OOTB code isn't the best example of >>>>> this, but usually it is best to generate your JavaScript in the FTL >>>>> file. If you are dynamically generating any sort of text a template >>>>> file is usually the best tool to use and results in the cleanest and >>>>> easiest to maintain code. >>>>> >>>>> And as a bonus, you'll avoid this encoding issue too. In fact, >>>>> part of >>>>> the decision to do this general encoding is to encourage the practice >>>>> of using templates for what they are meant to be used for. >>>>> >>>>> Best of luck, >>>>> -David >>>>> >>>>> >>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>>> >>>>>> A precision : >>>>>> >>>>>> *** Error comes from Groovy >>>>>> Because I have the problem only with generated Javascript script >>>>>> with >>>>>> Groovy. >>>>>> >>>>>> An idea ? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Eric >>>>>> ----- Original Message ----- From: "Eric DE MAULDE" >>>>>> <[hidden email]> >>>>>> To: <[hidden email]> >>>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I updated my working copy >>>>>> >>>>>> *** Now all javascript are parsed to HTML (and appear in screen, >>>>>> just >>>>>> for my own application, Ecommerce is OK) >>>>>> Script tags are ok. >>>>>> Ex. in source : >>>>>> <script language="JavaScript" >>>>>> type="text/javascript"><!-- >>>>>> Do you know where I can configure Freemarker ? >>>>>> >>>>>> In HTML head tag, some chars are parsed too. >>>>>> >>>>>> Eric >>>>> >>>>> >>>>> |
Re: Javascript is parsed to HTML (Freemarker ?)
|
Administrator
|
In reply to this post by Jacques Le Roux
Maybe an option for you is to try to comment out lines 71-73 of HtmlWidget.java
Jacques From: "Jacques Le Roux" <[hidden email]> > 1st thing : OFBiz trunk no longer uses .properties files but .xml files > 2d thing : we don't allow HTML in labels (actually there are still some, but it should not at term apart some special cases like > the famous CommonEmpty) > > I think you will have to create a specific worker for that, ie no longer render your strings as > ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} > but using something like Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where > renderUiLabelMap returns a stringBuilder embedding the original String > I can see any other means maybe there are and someone will suggest you something easier. > > Jacques > > From: "Stephen Rufle" <[hidden email]> >> In the ftl I use >> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >> >> Does this process get passed through some class that I can change and >> send a patch for? Then all properties could embed HTML >> >> Jacques Le Roux wrote: >>> As David explains below you have to embed the String you create (I >>> suppose reading the property) into a StringBuilder >>> >>> Jacques >>> >>> From: "Stephen Rufle" <[hidden email]> >>>> I think I have a related issue to this. I have .properties files with >>>> table headings in them. I used to be able to put a br tag <br> in the >>>> content of my labels to break two words. >>>> >>>> ex. >>>> "Cust.<br>Order# " >>>> would turn into >>>> " >>>> Cust. >>>> Order# >>>> " >>>> on my display, now it sends it literally. How do I get the old behavior >>>> back? >>>> >>>> David E Jones wrote: >>>>> >>>>> Have you been following the discussion on the mailing lists about the >>>>> XSS/etc prevention efforts? >>>>> >>>>> As a general practice when you run into things like this you can >>>>> usually find your answer pretty quickly by looking at commit logs, and >>>>> by looking at code in OOTB OFBiz that does something similar to what >>>>> you are trying to do. In this case, for example looking at the >>>>> productdetail screen and the groovy and ftl files that it uses will >>>>> give you an example of how to handle this now. >>>>> >>>>> The important thing to know is that now all String objects are >>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>>>> it, just use anything other than a String object. The normal way to do >>>>> this is to create your script dynamically using a StringBuilder, and >>>>> then just leave it as a StringBuilder instead of calling toString() on >>>>> it before putting it in the context. Then it won't get HTML encoded... >>>>> >>>>> On a side note, I know that the OOTB code isn't the best example of >>>>> this, but usually it is best to generate your JavaScript in the FTL >>>>> file. If you are dynamically generating any sort of text a template >>>>> file is usually the best tool to use and results in the cleanest and >>>>> easiest to maintain code. >>>>> >>>>> And as a bonus, you'll avoid this encoding issue too. In fact, part of >>>>> the decision to do this general encoding is to encourage the practice >>>>> of using templates for what they are meant to be used for. >>>>> >>>>> Best of luck, >>>>> -David >>>>> >>>>> >>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>>> >>>>>> A precision : >>>>>> >>>>>> *** Error comes from Groovy >>>>>> Because I have the problem only with generated Javascript script with >>>>>> Groovy. >>>>>> >>>>>> An idea ? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Eric >>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email]> >>>>>> To: <[hidden email]> >>>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I updated my working copy >>>>>> >>>>>> *** Now all javascript are parsed to HTML (and appear in screen, just >>>>>> for my own application, Ecommerce is OK) >>>>>> Script tags are ok. >>>>>> Ex. in source : >>>>>> <script language="JavaScript" >>>>>> type="text/javascript"><!-- >>>>>> Do you know where I can configure Freemarker ? >>>>>> >>>>>> In HTML head tag, some chars are parsed too. >>>>>> >>>>>> Eric >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Stephen P Rufle >>>> [hidden email] >>>> H1:480-626-8022 >>>> H2:480-802-7173 >>>> Yahoo IM: stephen_rufle >>>> AOL IM: stephen1rufle >>>> >>> >>> >>> >> >> -- >> Stephen P Rufle >> [hidden email] >> H1:480-626-8022 >> H2:480-802-7173 >> Yahoo IM: stephen_rufle >> AOL IM: stephen1rufle >> > > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
In reply to this post by Stephen Rufle-2
Keeping HTML out of UI labels isn't a "rule" - it is a "best practice."
The reason is reusability - you can reuse the UI label in a non-HTML environment. -Adrian Stephen Rufle wrote: > Ok, If I convert to using XXX.xml instead of XXX.properties will be able > to embed the HTML, or is the general rule that no properties are allowed > to have HTML in them otherwise they get encoded on the way out to the > screen? > > Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to > work from > > so what used to be > > XXX.properties > keyName=some text to the screen > > XXX.xml - I am assuming that I have to have at least one xml:lang="en" > as a value > <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <property key="keyName"> > <value xml:lang="en">some text to the screen</value> > </property> > </resource> > > > Jacques Le Roux wrote: >> 1st thing : OFBiz trunk no longer uses .properties files but .xml files >> 2d thing : we don't allow HTML in labels (actually there are still >> some, but it should not at term apart some special cases like the >> famous CommonEmpty) >> >> I think you will have to create a specific worker for that, ie no >> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >> but using something like >> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") >> where renderUiLabelMap returns a stringBuilder embedding the original >> String >> I can see any other means maybe there are and someone will suggest you >> something easier. >> >> Jacques >> >> From: "Stephen Rufle" <[hidden email]> >>> In the ftl I use >>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >>> >>> Does this process get passed through some class that I can change and >>> send a patch for? Then all properties could embed HTML >>> >>> Jacques Le Roux wrote: >>>> As David explains below you have to embed the String you create (I >>>> suppose reading the property) into a StringBuilder >>>> >>>> Jacques >>>> >>>> From: "Stephen Rufle" <[hidden email]> >>>>> I think I have a related issue to this. I have .properties files with >>>>> table headings in them. I used to be able to put a br tag <br> in the >>>>> content of my labels to break two words. >>>>> >>>>> ex. >>>>> "Cust.<br>Order# " >>>>> would turn into >>>>> " >>>>> Cust. >>>>> Order# >>>>> " >>>>> on my display, now it sends it literally. How do I get the old >>>>> behavior >>>>> back? >>>>> >>>>> David E Jones wrote: >>>>>> Have you been following the discussion on the mailing lists about the >>>>>> XSS/etc prevention efforts? >>>>>> >>>>>> As a general practice when you run into things like this you can >>>>>> usually find your answer pretty quickly by looking at commit logs, >>>>>> and >>>>>> by looking at code in OOTB OFBiz that does something similar to what >>>>>> you are trying to do. In this case, for example looking at the >>>>>> productdetail screen and the groovy and ftl files that it uses will >>>>>> give you an example of how to handle this now. >>>>>> >>>>>> The important thing to know is that now all String objects are >>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>>>>> it, just use anything other than a String object. The normal way >>>>>> to do >>>>>> this is to create your script dynamically using a StringBuilder, and >>>>>> then just leave it as a StringBuilder instead of calling >>>>>> toString() on >>>>>> it before putting it in the context. Then it won't get HTML >>>>>> encoded... >>>>>> >>>>>> On a side note, I know that the OOTB code isn't the best example of >>>>>> this, but usually it is best to generate your JavaScript in the FTL >>>>>> file. If you are dynamically generating any sort of text a template >>>>>> file is usually the best tool to use and results in the cleanest and >>>>>> easiest to maintain code. >>>>>> >>>>>> And as a bonus, you'll avoid this encoding issue too. In fact, >>>>>> part of >>>>>> the decision to do this general encoding is to encourage the practice >>>>>> of using templates for what they are meant to be used for. >>>>>> >>>>>> Best of luck, >>>>>> -David >>>>>> >>>>>> >>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>>>> >>>>>>> A precision : >>>>>>> >>>>>>> *** Error comes from Groovy >>>>>>> Because I have the problem only with generated Javascript script >>>>>>> with >>>>>>> Groovy. >>>>>>> >>>>>>> An idea ? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Eric >>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" >>>>>>> <[hidden email]> >>>>>>> To: <[hidden email]> >>>>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I updated my working copy >>>>>>> >>>>>>> *** Now all javascript are parsed to HTML (and appear in screen, >>>>>>> just >>>>>>> for my own application, Ecommerce is OK) >>>>>>> Script tags are ok. >>>>>>> Ex. in source : >>>>>>> <script language="JavaScript" >>>>>>> type="text/javascript"><!-- >>>>>>> Do you know where I can configure Freemarker ? >>>>>>> >>>>>>> In HTML head tag, some chars are parsed too. >>>>>>> >>>>>>> Eric >>>>>> >>>>>> > > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
Administrator
|
In reply to this post by Stephen Rufle-2
Ok, it's late here so don't expect an answer before some hours...
Which Release.revision are you using, trunk I guess ? Jacques PS : see also my suggestion about StringHtmlWrapperForFtl, and maybe make it works for you ;o) From: "Stephen Rufle" <[hidden email]> > Ok, If I convert to using XXX.xml instead of XXX.properties will be able > to embed the HTML, or is the general rule that no properties are allowed > to have HTML in them otherwise they get encoded on the way out to the > screen? > > Using /ofbiz/framework/common/config/CommonUiLabels.xml as my example to > work from > > so what used to be > > XXX.properties > keyName=some text to the screen > > XXX.xml - I am assuming that I have to have at least one xml:lang="en" > as a value > <resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> > <property key="keyName"> > <value xml:lang="en">some text to the screen</value> > </property> > </resource> > > > Jacques Le Roux wrote: >> 1st thing : OFBiz trunk no longer uses .properties files but .xml files >> 2d thing : we don't allow HTML in labels (actually there are still >> some, but it should not at term apart some special cases like the >> famous CommonEmpty) >> >> I think you will have to create a specific worker for that, ie no >> longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >> but using something like >> Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") >> where renderUiLabelMap returns a stringBuilder embedding the original >> String >> I can see any other means maybe there are and someone will suggest you >> something easier. >> >> Jacques >> >> From: "Stephen Rufle" <[hidden email]> >>> In the ftl I use >>> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >>> >>> Does this process get passed through some class that I can change and >>> send a patch for? Then all properties could embed HTML >>> >>> Jacques Le Roux wrote: >>>> As David explains below you have to embed the String you create (I >>>> suppose reading the property) into a StringBuilder >>>> >>>> Jacques >>>> >>>> From: "Stephen Rufle" <[hidden email]> >>>>> I think I have a related issue to this. I have .properties files with >>>>> table headings in them. I used to be able to put a br tag <br> in the >>>>> content of my labels to break two words. >>>>> >>>>> ex. >>>>> "Cust.<br>Order# " >>>>> would turn into >>>>> " >>>>> Cust. >>>>> Order# >>>>> " >>>>> on my display, now it sends it literally. How do I get the old >>>>> behavior >>>>> back? >>>>> >>>>> David E Jones wrote: >>>>>> >>>>>> Have you been following the discussion on the mailing lists about the >>>>>> XSS/etc prevention efforts? >>>>>> >>>>>> As a general practice when you run into things like this you can >>>>>> usually find your answer pretty quickly by looking at commit logs, >>>>>> and >>>>>> by looking at code in OOTB OFBiz that does something similar to what >>>>>> you are trying to do. In this case, for example looking at the >>>>>> productdetail screen and the groovy and ftl files that it uses will >>>>>> give you an example of how to handle this now. >>>>>> >>>>>> The important thing to know is that now all String objects are >>>>>> automatically HTML encoded (using the OWASP ESAPI library). To avoid >>>>>> it, just use anything other than a String object. The normal way >>>>>> to do >>>>>> this is to create your script dynamically using a StringBuilder, and >>>>>> then just leave it as a StringBuilder instead of calling >>>>>> toString() on >>>>>> it before putting it in the context. Then it won't get HTML >>>>>> encoded... >>>>>> >>>>>> On a side note, I know that the OOTB code isn't the best example of >>>>>> this, but usually it is best to generate your JavaScript in the FTL >>>>>> file. If you are dynamically generating any sort of text a template >>>>>> file is usually the best tool to use and results in the cleanest and >>>>>> easiest to maintain code. >>>>>> >>>>>> And as a bonus, you'll avoid this encoding issue too. In fact, >>>>>> part of >>>>>> the decision to do this general encoding is to encourage the practice >>>>>> of using templates for what they are meant to be used for. >>>>>> >>>>>> Best of luck, >>>>>> -David >>>>>> >>>>>> >>>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>>>> >>>>>>> A precision : >>>>>>> >>>>>>> *** Error comes from Groovy >>>>>>> Because I have the problem only with generated Javascript script >>>>>>> with >>>>>>> Groovy. >>>>>>> >>>>>>> An idea ? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Eric >>>>>>> ----- Original Message ----- From: "Eric DE MAULDE" >>>>>>> <[hidden email]> >>>>>>> To: <[hidden email]> >>>>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I updated my working copy >>>>>>> >>>>>>> *** Now all javascript are parsed to HTML (and appear in screen, >>>>>>> just >>>>>>> for my own application, Ecommerce is OK) >>>>>>> Script tags are ok. >>>>>>> Ex. in source : >>>>>>> <script language="JavaScript" >>>>>>> type="text/javascript"><!-- >>>>>>> Do you know where I can configure Freemarker ? >>>>>>> >>>>>>> In HTML head tag, some chars are parsed too. >>>>>>> >>>>>>> Eric >>>>>> >>>>>> >>>>>> > |
Re: Javascript is parsed to HTML (Freemarker ?)
|
|
In reply to this post by Jacques Le Roux
There is a solution to this already in place, and it is used in a few places. Take a look at the promotiondetails.ftl file, especially the expression: ${StringUtil.wrapString(productPromo.promoText?if_exists)} BTW, this should ONLY be used for very trusted fields, ie fields that never have information that come from a non-trusted user. As for the uiLabelMap expressions, I like the fact that all possible HTML characters are encoded before sending it to the browser... it encourages the best practice and at the same time avoids issues where things come out in an unexpected way. -David On Mar 4, 2009, at 1:15 PM, Jacques Le Roux wrote: > 1st thing : OFBiz trunk no longer uses .properties files but .xml > files > 2d thing : we don't allow HTML in labels (actually there are still > some, but it should not at term apart some special cases like the > famous CommonEmpty) > > I think you will have to create a specific worker for that, ie no > longer render your strings as ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} > but using something like > Static["org.ofbiz.....LabelWorker"].renderUiLabelMap("$ > {uiXXXLabelMap.CUSTOMER_ORDER_NUMBER}") where renderUiLabelMap > returns a stringBuilder embedding the original String > I can see any other means maybe there are and someone will suggest > you something easier. > > Jacques > > From: "Stephen Rufle" <[hidden email]> >> In the ftl I use >> ${uiXXXLabelMap.CUSTOMER_ORDER_NUMBER} >> >> Does this process get passed through some class that I can change and >> send a patch for? Then all properties could embed HTML >> >> Jacques Le Roux wrote: >>> As David explains below you have to embed the String you create (I >>> suppose reading the property) into a StringBuilder >>> >>> Jacques >>> >>> From: "Stephen Rufle" <[hidden email]> >>>> I think I have a related issue to this. I have .properties files >>>> with >>>> table headings in them. I used to be able to put a br tag <br> in >>>> the >>>> content of my labels to break two words. >>>> >>>> ex. >>>> "Cust.<br>Order# " >>>> would turn into >>>> " >>>> Cust. >>>> Order# >>>> " >>>> on my display, now it sends it literally. How do I get the old >>>> behavior >>>> back? >>>> >>>> David E Jones wrote: >>>>> >>>>> Have you been following the discussion on the mailing lists >>>>> about the >>>>> XSS/etc prevention efforts? >>>>> >>>>> As a general practice when you run into things like this you can >>>>> usually find your answer pretty quickly by looking at commit >>>>> logs, and >>>>> by looking at code in OOTB OFBiz that does something similar to >>>>> what >>>>> you are trying to do. In this case, for example looking at the >>>>> productdetail screen and the groovy and ftl files that it uses >>>>> will >>>>> give you an example of how to handle this now. >>>>> >>>>> The important thing to know is that now all String objects are >>>>> automatically HTML encoded (using the OWASP ESAPI library). To >>>>> avoid >>>>> it, just use anything other than a String object. The normal way >>>>> to do >>>>> this is to create your script dynamically using a StringBuilder, >>>>> and >>>>> then just leave it as a StringBuilder instead of calling >>>>> toString() on >>>>> it before putting it in the context. Then it won't get HTML >>>>> encoded... >>>>> >>>>> On a side note, I know that the OOTB code isn't the best example >>>>> of >>>>> this, but usually it is best to generate your JavaScript in the >>>>> FTL >>>>> file. If you are dynamically generating any sort of text a >>>>> template >>>>> file is usually the best tool to use and results in the cleanest >>>>> and >>>>> easiest to maintain code. >>>>> >>>>> And as a bonus, you'll avoid this encoding issue too. In fact, >>>>> part of >>>>> the decision to do this general encoding is to encourage the >>>>> practice >>>>> of using templates for what they are meant to be used for. >>>>> >>>>> Best of luck, >>>>> -David >>>>> >>>>> >>>>> On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote: >>>>> >>>>>> A precision : >>>>>> >>>>>> *** Error comes from Groovy >>>>>> Because I have the problem only with generated Javascript >>>>>> script with >>>>>> Groovy. >>>>>> >>>>>> An idea ? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Eric >>>>>> ----- Original Message ----- From: "Eric DE MAULDE" <[hidden email] >>>>>> > >>>>>> To: <[hidden email]> >>>>>> Sent: Monday, February 16, 2009 6:24 PM >>>>>> Subject: Javascript is parsed to HTML (Freemarker ?) >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I updated my working copy >>>>>> >>>>>> *** Now all javascript are parsed to HTML (and appear in >>>>>> screen, just >>>>>> for my own application, Ecommerce is OK) >>>>>> Script tags are ok. >>>>>> Ex. in source : >>>>>> <script language="JavaScript" >>>>>> type="text/javascript"><!-- >>>>>> Do you know where I can configure Freemarker ? >>>>>> >>>>>> In HTML head tag, some chars are parsed too. >>>>>> >>>>>> Eric >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Stephen P Rufle >>>> [hidden email] >>>> H1:480-626-8022 >>>> H2:480-802-7173 >>>> Yahoo IM: stephen_rufle >>>> AOL IM: stephen1rufle >>>> >>> >>> >>> >> >> -- >> Stephen P Rufle >> [hidden email] >> H1:480-626-8022 >> H2:480-802-7173 >> Yahoo IM: stephen_rufle >> AOL IM: stephen1rufle > > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |