This is not a fix, the problem was that "safe" wasn't filtering unsafe html or returning an error. Taking all "safe" input parameters and making them "any" because "safe" wasn't working as intended is a bit silly to say the least.
Regards Scott On 28/10/2013, at 12:12 PM, [hidden email] wrote: > Author: jleroux > Date: Mon Oct 28 12:12:43 2013 > New Revision: 1536324 > > URL: http://svn.apache.org/r1536324 > Log: > Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> https://issues.apache.org/jira/browse/OFBIZ-5254 > > After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any". > > This > * Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward compatibility, else we could completely remove the misleading "safe". Note that "none" is the default. > * Replaces in services definition all allow-html="safe" by allow-html="any" > * Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log > > Modified: > ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml > ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml > ofbiz/trunk/applications/content/servicedef/services.xml > ofbiz/trunk/applications/content/servicedef/services_content.xml > ofbiz/trunk/applications/content/servicedef/services_data.xml > ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml > ofbiz/trunk/applications/order/servicedef/services.xml > ofbiz/trunk/applications/order/servicedef/services_quote.xml > ofbiz/trunk/applications/order/servicedef/services_request.xml > ofbiz/trunk/applications/party/servicedef/services.xml > ofbiz/trunk/applications/product/servicedef/services.xml > ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml > ofbiz/trunk/applications/workeffort/servicedef/services.xml > ofbiz/trunk/framework/common/servicedef/services.xml > ofbiz/trunk/framework/common/servicedef/services_email.xml > ofbiz/trunk/framework/service/dtd/services.xsd > ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java > ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml > > Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml (original) > +++ ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml Mon Oct 28 12:12:43 2013 > @@ -30,7 +30,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes include="pk" mode="OUT" optional="true"/> > - <override name="textData" allow-html="safe"/> > + <override name="textData" allow-html="any"/> > </service> > <service name="updateAgreement" default-entity-name="Agreement" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreement" auth="true"> > @@ -38,7 +38,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="textData" allow-html="safe"/> > + <override name="textData" allow-html="any"/> > </service> > <service name="cancelAgreement" default-entity-name="Agreement" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="cancelAgreement" auth="true"> > @@ -65,7 +65,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> > <auto-attributes include="pk" mode="INOUT" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="agreementText" allow-html="safe"/> > + <override name="agreementText" allow-html="any"/> > </service> > <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreementItem" auth="true"> > @@ -73,7 +73,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> > <auto-attributes include="pk" mode="IN" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="agreementText" allow-html="safe"/> > + <override name="agreementText" allow-html="any"/> > </service> > <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="removeAgreementItem" auth="true"> > @@ -90,7 +90,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> > <auto-attributes include="pk" mode="INOUT" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="textValue" allow-html="safe"/> > + <override name="textValue" allow-html="any"/> > </service> > <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreementTerm" auth="true"> > @@ -98,7 +98,7 @@ under the License. > <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> > <auto-attributes include="pk" mode="IN" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="textValue" allow-html="safe"/> > + <override name="textValue" allow-html="any"/> > </service> > <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="deleteAgreementTerm" auth="true"> > > Modified: ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml (original) > +++ ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml Mon Oct 28 12:12:43 2013 > @@ -56,8 +56,8 @@ under the License. > <override name="invoiceTypeId" mode="IN" optional="false"/> > <override name="partyIdFrom" mode = "IN" optional="false"/> > <override name="partyId" mode = "IN" optional="false"/> > - <override name="description" allow-html="safe"/> > - <override name="invoiceMessage" allow-html="safe"/> > + <override name="description" allow-html="any"/> > + <override name="invoiceMessage" allow-html="any"/> > </service> > <service name="copyInvoice" engine="simple" default-entity-name="Invoice" > location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> > @@ -80,8 +80,8 @@ under the License. > <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> > <auto-attributes mode="IN" include="pk" optional="false"/> > <auto-attributes mode="IN" include="nonpk" optional="true"/> > - <override name="description" allow-html="safe"/> > - <override name="invoiceMessage" allow-html="safe"/> > + <override name="description" allow-html="any"/> > + <override name="invoiceMessage" allow-html="any"/> > </service> > <service name="setInvoiceStatus" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> > @@ -117,7 +117,7 @@ under the License. > <auto-attributes mode="IN" include="pk" optional="false"/> > <auto-attributes mode="IN" include="nonpk" optional="true"/> > <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> > - <override name="description" allow-html="safe"/> > + <override name="description" allow-html="any"/> > </service> > <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" > location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> > @@ -125,7 +125,7 @@ under the License. > <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> > <auto-attributes mode="INOUT" include="pk" optional="false"/> > <auto-attributes mode="IN" include="nonpk" optional="true"/> > - <override name="description" allow-html="safe"/> > + <override name="description" allow-html="any"/> > </service> > <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" > location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> > @@ -276,7 +276,7 @@ under the License. > <attribute name="sendTo" type="String" mode="IN" optional="false"/> > <attribute name="sendCc" type="String" mode="IN" optional="true"/> > <attribute name="subject" type="String" mode="IN" optional="true"/> > - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="other" type="String" mode="IN" optional="true"/><!-- to send the invoice in the 'other' currency (y) --> > </service> > <service name="checkInvoicePaymentApplications" engine="java" > @@ -412,7 +412,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="contentId" optional="true"/> > <override name="fromDate" optional="true"/> > </service> > @@ -422,7 +422,7 @@ under the License. > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > <service name="isInvoiceInForeignCurrency" engine="simple" > location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="isInvoiceInForeignCurrency" auth="true"> > > Modified: ofbiz/trunk/applications/content/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/content/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -291,12 +291,12 @@ > > <service name="createSimpleTextContent" engine="simple" location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="createSimpleTextContent"> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="contentId" mode="INOUT"/> > </service> > <service name="updateSimpleTextContent" engine="simple" location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="updateSimpleTextContent"> > <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > > <!-- Util --> > @@ -452,7 +452,7 @@ > <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> > <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> > <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> > - <override name="textData" allow-html="safe"/> > + <override name="textData" allow-html="any"/> > </service> > > <service name="persistDataResourceAndData" engine="java" > @@ -1052,8 +1052,8 @@ > <attribute name="statusId" type="String" mode="IN" optional="true"/> > <attribute name="description" type="String" mode="IN" optional="true"/> > <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> > - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> > + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > <service name="updateBlogEntry" engine="simple" auth="true" > location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="updateBlogEntry"> > @@ -1065,8 +1065,8 @@ > <attribute name="statusId" type="String" mode="IN" optional="true"/> > <attribute name="description" type="String" mode="IN" optional="true"/> > <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> > - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> > + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > <service name="getBlogEntry" engine="simple" auth="true" > location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="getBlogEntry"> > > Modified: ofbiz/trunk/applications/content/servicedef/services_content.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_content.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/content/servicedef/services_content.xml (original) > +++ ofbiz/trunk/applications/content/servicedef/services_content.xml Mon Oct 28 12:12:43 2013 > @@ -48,8 +48,8 @@ > <attribute name="fromDate" type="Timestamp" mode="IN" optional="true"/> > <attribute name="sequenceNum" type="Long" mode="IN" optional="true"/> > <override name="contentTypeId" default-value="DOCUMENT"/> > - <override name="contentName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="contentName" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > > <service name="createTextAndUploadedContent" engine="simple" auth="true" > @@ -131,8 +131,8 @@ > <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> > <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> > <!-- end of depricated fields --> > - <override name="contentName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="contentName" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > > <service name="updateTextContent" engine="group" auth="true"> > > Modified: ofbiz/trunk/applications/content/servicedef/services_data.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_data.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/content/servicedef/services_data.xml (original) > +++ ofbiz/trunk/applications/content/servicedef/services_data.xml Mon Oct 28 12:12:43 2013 > @@ -37,8 +37,8 @@ > <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> > <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> > <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> > - <override name="objectInfo" allow-html="safe"/> > - <override name="dataResourceName" allow-html="safe"/> > + <override name="objectInfo" allow-html="any"/> > + <override name="dataResourceName" allow-html="any"/> > </service> > <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" > location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="createDataResourceAndAssocToContent" auth="true"> > @@ -59,8 +59,8 @@ > <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> > <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> > <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> > - <override name="objectInfo" allow-html="safe"/> > - <override name="dataResourceName" allow-html="safe"/> > + <override name="objectInfo" allow-html="any"/> > + <override name="dataResourceName" allow-html="any"/> > </service> > <service name="removeDataResource" engine="simple" default-entity-name="DataResource" auth="true" > location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="deleteDataResource"> > @@ -90,7 +90,7 @@ > <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> > <auto-attributes include="pk" mode="INOUT" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> > + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> > <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> > <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> > <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> > @@ -100,7 +100,7 @@ > <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> > <auto-attributes include="pk" mode="IN" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> > + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> > <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> > <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> > <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> > @@ -115,7 +115,7 @@ > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> > - <override name="textData" allow-html="safe"/> > + <override name="textData" allow-html="any"/> > </service> > <service name="updateElectronicText" default-entity-name="ElectronicText" engine="simple" > location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="updateElectronicText" auth="true"> > @@ -124,7 +124,7 @@ > <auto-attributes include="pk" mode="INOUT" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is belonging to --> > - <override name="textData" allow-html="safe"/> > + <override name="textData" allow-html="any"/> > </service> > <service name="removeElectronicText" default-entity-name="ElectronicText" engine="simple" > location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="removeElectronicText" auth="true"> > > Modified: ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml (original) > +++ ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml Mon Oct 28 12:12:43 2013 > @@ -78,9 +78,9 @@ under the License. > </auto-attributes> > <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> > <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> > - <override name="opportunityName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > - <override name="nextStep" allow-html="safe"/> > + <override name="opportunityName" allow-html="any"/> > + <override name="description" allow-html="any"/> > + <override name="nextStep" allow-html="any"/> > </service> > <service name="updateSalesOpportunity" engine="simple" default-entity-name="SalesOpportunity" > location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> > @@ -89,9 +89,9 @@ under the License. > <auto-attributes mode="IN" include="nonpk" optional="true"/> > <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> > <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> > - <override name="opportunityName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > - <override name="nextStep" allow-html="safe"/> > + <override name="opportunityName" allow-html="any"/> > + <override name="description" allow-html="any"/> > + <override name="nextStep" allow-html="any"/> > </service> > <service name="createSalesOpportunityRole" engine="simple" default-entity-name="SalesOpportunityRole" > location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="createSalesOpportunityRole"> > > Modified: ofbiz/trunk/applications/order/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/order/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -450,7 +450,7 @@ under the License. > location="org.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> > <description>Create a note item and associate with a order header</description> > <attribute name="orderId" type="String" mode="IN"/> > - <attribute name="note" type="String" mode="IN" allow-html="safe"/> > + <attribute name="note" type="String" mode="IN" allow-html="any"/> > <attribute name="internalNote" type="String" mode="IN"/> > <attribute name="noteName" type="String" mode="IN" optional="true"/> > </service> > > Modified: ofbiz/trunk/applications/order/servicedef/services_quote.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_quote.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/servicedef/services_quote.xml (original) > +++ ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct 28 12:12:43 2013 > @@ -255,7 +255,7 @@ under the License. > location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" invoke="createQuoteNote" auth="true"> > <description>Create a note item and associate with a quote</description> > <attribute name="quoteId" type="String" mode="IN"/> > - <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> > + <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> > <attribute name="noteName" type="String" mode="IN" optional="true"/> > </service> > </services> > > Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/servicedef/services_request.xml (original) > +++ ofbiz/trunk/applications/order/servicedef/services_request.xml Mon Oct 28 12:12:43 2013 > @@ -42,9 +42,9 @@ under the License. > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> > - <override name="custRequestName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > - <override name="story" allow-html="safe"/> > + <override name="custRequestName" allow-html="any"/> > + <override name="description" allow-html="any"/> > + <override name="story" allow-html="any"/> > </service> > <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" > location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequest" auth="true"> > @@ -52,10 +52,10 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <attribute name="oldStatusId" type="String" mode="OUT"/> > - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> > + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> > - <override name="custRequestName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="custRequestName" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > > <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" > @@ -86,16 +86,16 @@ under the License. > <auto-attributes include="pk" mode="INOUT" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <override name="custRequestItemSeqId" optional="true"/> > - <override name="story" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="story" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" > location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestItem" auth="true"> > <description>Update a CustRequestItem record</description> > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="story" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="story" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" > location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="copyCustRequestItem" auth="true"> > @@ -129,7 +129,7 @@ under the License. > location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="createCustRequestNote" auth="true"> > <description>Create a note for a CustRequest</description> > <attribute name="custRequestId" type="String" mode="IN" optional="false"/> > - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> > <attribute name="noteId" type="String" mode="OUT" optional="false"/> > <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> > <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> > @@ -138,7 +138,7 @@ under the License. > location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestNote" auth="true"> > <description>Update CustRequest Note</description> > <attribute name="custRequestId" type="String" mode="IN" optional="false"/> > - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> > <attribute name="noteInfo" type="String" mode="IN" optional="true"/> > </service> > <service name="createCustRequestItemNote" engine="simple" > @@ -146,7 +146,7 @@ under the License. > <description>Create a note for a CustRequestItem</description> > <attribute name="custRequestId" type="String" mode="IN" optional="false"/> > <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> > - <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> > <attribute name="noteId" type="String" mode="OUT" optional="false"/> > <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> > <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> > @@ -178,7 +178,7 @@ under the License. > <description>Set the Customer Request Status</description> > <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> > <attribute name="statusId" type="String" mode="IN" optional="false"/> > - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> > <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> > <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> > @@ -192,9 +192,9 @@ under the License. > <attribute name="custRequestId" mode="IN" type="String" optional="true"/> > <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> > <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> > - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> > - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> > - <override name="content" allow-html="safe"/> > + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> > + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> > + <override name="content" allow-html="any"/> > </service> > > <!-- custRequest content services --> > > Modified: ofbiz/trunk/applications/party/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/party/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/party/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -120,7 +120,7 @@ under the License. > <attribute name="externalId" type="String" mode="IN" optional="true"/> > <attribute name="statusId" type="String" mode="IN" optional="true"/> > <override name="groupName" optional="false"/> > - <override name="comments" allow-html="safe"/> > + <override name="comments" allow-html="any"/> > </service> > <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" > location="org.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> > @@ -133,7 +133,7 @@ under the License. > <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> > <attribute name="externalId" type="String" mode="IN" optional="true"/> > <attribute name="statusId" type="String" mode="IN" optional="true"/> > - <override name="comments" allow-html="safe"/> > + <override name="comments" allow-html="any"/> > </service> > > <service name="savePartyNameChange" engine="simple" > @@ -379,7 +379,7 @@ under the License. > <description>create a company/contact relationship and add the related roles</description> > <attribute name="accountPartyId" type="String" mode="IN"/> > <attribute name="contactPartyId" type="String" mode="IN"/> > - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > > <!-- ContactMech services --> > @@ -768,9 +768,9 @@ under the License. > <attribute name="custRequestId" type="String" mode="IN" optional="true"/> > <attribute name="action" type="String" mode="IN" optional="true"/><!-- to indicate any special action like: REPLY, REPLYALL, FORWARD or empty for no special action--> > <override name="headerString" allow-html="any"/> > - <override name="content" allow-html="safe"/> > - <override name="messageId" allow-html="safe"/> > - <override name="subject" allow-html="safe"/> > + <override name="content" allow-html="any"/> > + <override name="messageId" allow-html="any"/> > + <override name="subject" allow-html="any"/> > </service> > <service name="createCommunicationEvent" engine="simple" > location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" invoke="createCommunicationEventWithPermission" auth="true"> > @@ -792,9 +792,9 @@ under the License. > <auto-attributes entity-name="CommunicationEvent" include="nonpk" mode="IN" optional="true"/> > <attribute name="contactMechPurposeTypeIdFrom" type="String" mode="IN" optional="true"><description>Set a specific purpose for the originator email</description></attribute> > <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> > - <override name="messageId" allow-html="safe"/> > - <override name="content" allow-html="safe"/> > - <override name="subject" allow-html="safe"/> > + <override name="messageId" allow-html="any"/> > + <override name="content" allow-html="any"/> > + <override name="subject" allow-html="any"/> > </service> > <service name="deleteCommunicationEvent" engine="simple" > location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" invoke="deleteCommunicationEvent" auth="true"> > > Modified: ofbiz/trunk/applications/product/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/product/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -34,8 +34,8 @@ under the License. > <exclude field-name="lastModifiedDate"/> > <exclude field-name="lastModifiedByUserLogin"/> > </auto-attributes> > - <override name="description" allow-html="safe"/> > - <override name="longDescription" allow-html="safe"/> > + <override name="description" allow-html="any"/> > + <override name="longDescription" allow-html="any"/> > </service> > <service name="createProduct" default-entity-name="Product" engine="simple" > location="component://product/script/org/ofbiz/product/product/ProductServices.xml" invoke="createProduct" auth="true"> > @@ -70,8 +70,8 @@ under the License. > <attribute name="oldProductId" type="String" mode="IN" optional="false"/> > <attribute name="newInternalName" type="String" mode="IN" optional="true"/> > <attribute name="newProductName" type="String" mode="IN" optional="true"/> > - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> > - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> > + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> > <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> > <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> > @@ -392,7 +392,7 @@ under the License. > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > <attribute name="subject" type="String" mode="IN" optional="false"/> > <attribute name="plainBody" type="String" mode="IN" optional="false"/> > - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> > <override name="contentId" optional="true" mode="INOUT"/> > </service> > <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" > @@ -405,7 +405,7 @@ under the License. > <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> > <attribute name="plainBody" type="String" mode="IN" optional="true"/> > <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" > location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" invoke="createDownloadContentForProduct" auth="true"> > @@ -431,7 +431,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="contentId" optional="true"/> > <override name="fromDate" optional="true"/> > </service> > @@ -441,13 +441,13 @@ under the License. > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > > <service name="createSimpleTextContentForAlternateLocale" engine="simple" location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" invoke="createSimpleTextContentForAlternateLocale"> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > <attribute name="mainContentId" type="String" mode="IN" optional="false"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="localeString" optional="false"/> > <override name="contentId" mode="INOUT"/> > </service> > @@ -967,7 +967,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="contentId" optional="true"/> > <override name="fromDate" optional="true"/> > </service> > @@ -977,7 +977,7 @@ under the License. > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> > <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > > <service name="updateContentSEOForCategory" engine="simple" > @@ -1201,7 +1201,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="true"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> > <override name="contentId" optional="true"/> > </service> > <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" > @@ -1210,7 +1210,7 @@ under the License. > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> > - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> > </service> > <service name="getProductFeaturesByType" engine="java" > location="org.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> > > Modified: ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml (original) > +++ ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml Mon Oct 28 12:12:43 2013 > @@ -138,7 +138,7 @@ under the License. > <exclude field-name="lastModifiedByUserLogin"/> > </auto-attributes> > <override name="promoName" optional="false"/> > - <override name="promoText" allow-html="safe"/> > + <override name="promoText" allow-html="any"/> > </service> > <service name="updateProductPromo" default-entity-name="ProductPromo" engine="simple" > location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="updateProductPromo" auth="true"> > @@ -150,7 +150,7 @@ under the License. > <exclude field-name="lastModifiedDate"/> > <exclude field-name="lastModifiedByUserLogin"/> > </auto-attributes> > - <override name="promoText" allow-html="safe"/> > + <override name="promoText" allow-html="any"/> > </service> > <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="simple" > location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="deleteProductPromo" auth="true"> > > Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/applications/workeffort/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -35,8 +35,8 @@ under the License. > <exclude field-name="lastModifiedDate"/> > <exclude field-name="lastModifiedByUserLogin"/> > </auto-attributes> > - <override name="workEffortName" allow-html="safe"/> > - <override name="description" allow-html="safe"/> > + <override name="workEffortName" allow-html="any"/> > + <override name="description" allow-html="any"/> > </service> > <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" > location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffort"> > @@ -50,9 +50,9 @@ under the License. > <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> > <override name="workEffortTypeId" optional="false"/> > - <override name="workEffortName" optional="false" allow-html="safe"/> > + <override name="workEffortName" optional="false" allow-html="any"/> > <override name="currentStatusId" optional="false"/> > - <override name="description" allow-html="safe"/> > + <override name="description" allow-html="any"/> > </service> > <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" > location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffortAndPartyAssign"> > @@ -429,7 +429,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false" entity-name="CustRequestWorkEffort"/> > <auto-attributes include="all" mode="IN" optional="true" entity-name="CustRequest"/> > <override name="custRequestId" optional="true" mode="INOUT"/> > - <override name="description" allow-html="safe"/> > + <override name="description" allow-html="any"/> > </service> > <service name="deleteWorkEffortRequest" engine="simple" location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="deleteWorkEffortRequest" auth="true"> > <description>Deletes a CustRequestWorkEffort</description> > > Modified: ofbiz/trunk/framework/common/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/framework/common/servicedef/services.xml (original) > +++ ofbiz/trunk/framework/common/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -63,7 +63,7 @@ under the License. > <description>Create a new note record</description> > <attribute name="partyId" type="String" mode="INOUT" optional="true"/> > <attribute name="noteName" type="String" mode="IN" optional="true"/> > - <attribute name="note" type="String" mode="IN" allow-html="safe"/> > + <attribute name="note" type="String" mode="IN" allow-html="any"/> > <attribute name="noteId" type="String" mode="OUT"/> > </service> > > @@ -72,7 +72,7 @@ under the License. > <description>Update a note record</description> > <auto-attributes include="pk" mode="INOUT" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > - <override name="noteInfo" allow-html="safe"/> > + <override name="noteInfo" allow-html="any"/> > </service> > > <service name="adjustDebugLevels" engine="java" > @@ -109,7 +109,7 @@ under the License. > <auto-attributes include="pk" mode="OUT" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <override name="enumTypeId" optional="false"/> > - <override name="description" optional="false" allow-html="safe"/> > + <override name="description" optional="false" allow-html="any"/> > </service> > <service name="updateEnumeration" default-entity-name="Enumeration" engine="simple" > location="component://common/script/org/ofbiz/common/EnumerationServices.xml" invoke="updateEnumeration" auth="true"> > @@ -118,7 +118,7 @@ under the License. > <auto-attributes include="pk" mode="IN" optional="false"/> > <auto-attributes include="nonpk" mode="IN" optional="true"/> > <override name="enumTypeId" optional="false"/> > - <override name="description" optional="false" allow-html="safe"/> > + <override name="description" optional="false" allow-html="any"/> > </service> > <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> > <description>Delete a Enumeration</description> > > Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/framework/common/servicedef/services_email.xml (original) > +++ ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct 28 12:12:43 2013 > @@ -42,7 +42,7 @@ under the License. > <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> > <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> > <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> > - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> > + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> > <attribute name="contentType" type="String" mode="INOUT" optional="true"/> > <attribute name="partyId" type="String" mode="INOUT" optional="true"/> > <attribute name="messageId" type="String" mode="INOUT" optional="true"/> > @@ -56,7 +56,7 @@ under the License. > <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> > <description>Interface service for sendMail* services.</description> > <implements service="sendMailInterface"/> > - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="safe"/> > + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> > <override name="contentType" mode="INOUT"/> > <override name="subject" mode="INOUT" optional="false"/> > <override name="emailType" type="String" mode="INOUT" optional="true"/> > @@ -98,12 +98,12 @@ under the License. > <implements service="sendMailInterface"/> > <attribute name="bodyUrl" type="String" mode="IN" optional="false"/> > <attribute name="bodyUrlParameters" type="Map" mode="IN" optional="true"/> > - <attribute name="body" type="String" mode="OUT" optional="false" allow-html="safe"/> > + <attribute name="body" type="String" mode="OUT" optional="false" allow-html="any"/> > </service> > <service name="sendMailFromScreenInterface" engine="interface" location="" invoke=""> > <description>Interface service for E-Mail sent From Screen Widget</description> > <implements service="sendMailInterface"/> > - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="bodyScreenUri" type="String" mode="IN" optional="true"/> > <attribute name="xslfoAttachScreenLocation" type="String" mode="IN" optional="true"/> > <attribute name="attachmentName" type="String" mode="IN" optional="true"/> > @@ -132,7 +132,7 @@ under the License. > <implements service="sendMailInterface"/> > <attribute name="emailTemplateSettingId" type="String" mode="IN" optional="false"/> > <attribute name="partyIdTo" type="String" mode="IN" optional="true"/> > - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="attachmentName" type="String" mode="IN" optional="true"/> > <attribute name="bodyParameters" type="Map" mode="IN" optional="true"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/> > @@ -143,8 +143,8 @@ under the License. > location="" invoke=""> > <description>Send Template Based Notification Service</description> > <implements service="sendMailInterface"/> > - <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="safe"/> > - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> > + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="templateName" type="String" mode="IN" optional="false"/> > <attribute name="templateData" type="Map" mode="IN" optional="true"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/> > @@ -153,7 +153,7 @@ under the License. > location="" invoke=""> > <description>Send Template Based Notification Service</description> > <implements service="prepareNotificationInterface"/> > - <attribute name="body" type="String" mode="IN" optional="true" allow-html="safe"/> > + <attribute name="body" type="String" mode="IN" optional="true" allow-html="any"/> > <attribute name="templateName" type="String" mode="IN" optional="false"/> > <attribute name="templateData" type="Map" mode="IN" optional="true"/> > <attribute name="webSiteId" type="String" mode="IN" optional="true"/> > > Modified: ofbiz/trunk/framework/service/dtd/services.xsd > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/framework/service/dtd/services.xsd (original) > +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 12:12:43 2013 > @@ -106,6 +106,7 @@ under the License. > If set to true and there is a transaction already in place the Service Engine will suspend that transaction, begin a new one just for this service, commit or rollback the local transaction when the service is complete, and will resume the original transaction. > If set to true and there is no transaction already in place it will just begin a transaction and manage it as would be done for a normal user-transaction=true. > If use-transaction=false this setting is ignored. > + Beware: using require-new-transaction=true in a service called (maybe not directly) by a pre-invoke or earlier event ( preprocessor, firstvisit and so on) is not yet supported. > </xs:documentation> > </xs:annotation> > <xs:simpleType> > @@ -348,11 +349,18 @@ under the License. > </xs:simpleType> > </xs:attribute> > <xs:attribute name="allow-html" use="optional" default="none"> > - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element.</xs:documentation></xs:annotation> > + <xs:annotation> > + <xs:documentation> > + Applies only to String fields. > + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). > + Defaults to "none" meaning no HTML is allowed (will result in an error message). > + If some HTML is desired then use "any". > + There was previously "safe" but it's deprecated > + </xs:documentation> > + </xs:annotation> > <xs:simpleType> > <xs:restriction base="xs:token"> > <xs:enumeration value="any"/> > - <xs:enumeration value="safe"/> > <xs:enumeration value="none"/> > </xs:restriction> > </xs:simpleType> > @@ -424,13 +432,12 @@ under the License. > Applies only to String fields. > Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). > Defaults to "none" meaning no HTML is allowed (will result in an error message). > - If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should be safe for both internal and public users. > - In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check the HTML content at all. > + If some HTML is desired then use "any". > + There was previously "safe" but it's deprecated > </xs:documentation></xs:annotation> > <xs:simpleType> > <xs:restriction base="xs:token"> > <xs:enumeration value="any"/> > - <xs:enumeration value="safe"/> > <xs:enumeration value="none"/> > </xs:restriction> > </xs:simpleType> > @@ -477,11 +484,18 @@ under the License. > </xs:simpleType> > </xs:attribute> > <xs:attribute name="allow-html" use="optional"> > - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> > + <xs:annotation> > + <xs:documentation> > + Applies only to String fields. > + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). > + There is no default, "none" means no HTML is allowed (will result in an error message). > + If some HTML is desired then use "any". > + There was previously "safe" but it's deprecated > + </xs:documentation> > + </xs:annotation> > <xs:simpleType> > <xs:restriction base="xs:token"> > <xs:enumeration value="any"/> > - <xs:enumeration value="safe"/> > <xs:enumeration value="none"/> > </xs:restriction> > </xs:simpleType> > > Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java > URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) > +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Oct 28 12:12:43 2013 > @@ -575,18 +575,12 @@ public class ModelService extends Abstra > // required and type validation complete, do allow-html validation > if ("IN".equals(mode)) { > List<String> errorMessageList = FastList.newInstance(); > - for (ModelParam modelParam: this.contextInfo.values()) { > - if (context.get(modelParam.name) != null && > - ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && > - !"any".equals(modelParam.allowHtml) && > - ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { > - // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input parameter validation > + for (ModelParam modelParam : this.contextInfo.values()) { > + // the param is a String, allow-html is not any, and we are looking at an IN parameter during input parameter validation > + if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) > + && !"any".equals(modelParam.allowHtml) && ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { > String value = (String) context.get(modelParam.name); > - if ("none".equals(modelParam.allowHtml)) { > - StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); > - } else if ("safe".equals(modelParam.allowHtml)) { > - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); > - } > + StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); > } > } > if (errorMessageList.size() > 0) { > > Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml > URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > ============================================================================== > --- ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml (original) > +++ ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct 28 12:12:43 2013 > @@ -491,7 +491,7 @@ under the License. > <attribute name="itemId" mode="IN" type="String" optional="false"/> > <attribute name="listingType" mode="IN" type="String" optional="true"/> > <attribute name="title" mode="IN" type="String" optional="true"/> > - <attribute name="description" mode="IN" type="String" allow-html="safe"/> > + <attribute name="description" mode="IN" type="String" allow-html="any"/> > <attribute name="price" mode="IN" type="String" optional="true"/> > <attribute name="currencyId" mode="IN" type="String" optional="true"/> > <attribute mode="IN" name="imageData" optional="true" type="java.nio.ByteBuffer"/> > > |
Administrator
|
I agree, it's in my long TODO list...
Jacques On Friday, December 27, 2013 8:43 PM [hidden email] wrote > This is not a fix, the problem was that "safe" wasn't filtering unsafe html or returning an error. Taking all "safe" input > parameters and making them "any" because "safe" wasn't working as intended is a bit silly to say the least. > > Regards > Scott > > On 28/10/2013, at 12:12 PM, [hidden email] wrote: > >> Author: jleroux >> Date: Mon Oct 28 12:12:43 2013 >> New Revision: 1536324 >> >> URL: http://svn.apache.org/r1536324 >> Log: >> Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> >> https://issues.apache.org/jira/browse/OFBIZ-5254 >> >> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning >> message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or >> as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any". >> >> This >> * Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward >> compatibility, else we could completely remove the misleading "safe". Note that "none" is the default. >> * Replaces in services definition all allow-html="safe" by allow-html="any" >> * Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log >> >> Modified: >> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >> ofbiz/trunk/applications/content/servicedef/services.xml >> ofbiz/trunk/applications/content/servicedef/services_content.xml >> ofbiz/trunk/applications/content/servicedef/services_data.xml >> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >> ofbiz/trunk/applications/order/servicedef/services.xml >> ofbiz/trunk/applications/order/servicedef/services_quote.xml >> ofbiz/trunk/applications/order/servicedef/services_request.xml >> ofbiz/trunk/applications/party/servicedef/services.xml >> ofbiz/trunk/applications/product/servicedef/services.xml >> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >> ofbiz/trunk/applications/workeffort/servicedef/services.xml >> ofbiz/trunk/framework/common/servicedef/services.xml >> ofbiz/trunk/framework/common/servicedef/services_email.xml >> ofbiz/trunk/framework/service/dtd/services.xsd >> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >> >> Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml (original) +++ >> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the >> License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes include="pk" mode="OUT" optional="true"/> >> - <override name="textData" allow-html="safe"/> >> + <override name="textData" allow-html="any"/> >> </service> >> <service name="updateAgreement" default-entity-name="Agreement" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the License. >> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="textData" allow-html="safe"/> >> + <override name="textData" allow-html="any"/> >> </service> >> <service name="cancelAgreement" default-entity-name="Agreement" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the License. >> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >> <auto-attributes include="pk" mode="INOUT" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="agreementText" allow-html="safe"/> >> + <override name="agreementText" allow-html="any"/> >> </service> >> <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the License. >> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >> <auto-attributes include="pk" mode="IN" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="agreementText" allow-html="safe"/> >> + <override name="agreementText" allow-html="any"/> >> </service> >> <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the License. >> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >> <auto-attributes include="pk" mode="INOUT" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="textValue" allow-html="safe"/> >> + <override name="textValue" allow-html="any"/> >> </service> >> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the License. >> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >> <auto-attributes include="pk" mode="IN" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="textValue" allow-html="safe"/> >> + <override name="textValue" allow-html="any"/> >> </service> >> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >> invoke="deleteAgreementTerm" auth="true"> >> >> Modified: ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml (original) +++ >> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the License. >> <override name="invoiceTypeId" mode="IN" optional="false"/> >> <override name="partyIdFrom" mode = "IN" optional="false"/> >> <override name="partyId" mode = "IN" optional="false"/> >> - <override name="description" allow-html="safe"/> >> - <override name="invoiceMessage" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> + <override name="invoiceMessage" allow-html="any"/> >> </service> >> <service name="copyInvoice" engine="simple" default-entity-name="Invoice" >> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> >> @@ -80,8 +80,8 @@ under the License. >> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >> <auto-attributes mode="IN" include="pk" optional="false"/> >> <auto-attributes mode="IN" include="nonpk" optional="true"/> >> - <override name="description" allow-html="safe"/> >> - <override name="invoiceMessage" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> + <override name="invoiceMessage" allow-html="any"/> >> </service> >> <service name="setInvoiceStatus" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> >> @@ -117,7 +117,7 @@ under the License. >> <auto-attributes mode="IN" include="pk" optional="false"/> >> <auto-attributes mode="IN" include="nonpk" optional="true"/> >> <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> >> - <override name="description" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> >> @@ -125,7 +125,7 @@ under the License. >> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >> <auto-attributes mode="INOUT" include="pk" optional="false"/> >> <auto-attributes mode="IN" include="nonpk" optional="true"/> >> - <override name="description" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> >> @@ -276,7 +276,7 @@ under the License. >> <attribute name="sendTo" type="String" mode="IN" optional="false"/> >> <attribute name="sendCc" type="String" mode="IN" optional="true"/> >> <attribute name="subject" type="String" mode="IN" optional="true"/> >> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="other" type="String" mode="IN" optional="true"/><!-- to send the invoice in the 'other' currency (y) --> >> </service> >> <service name="checkInvoicePaymentApplications" engine="java" >> @@ -412,7 +412,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >> <override name="contentId" optional="true"/> >> <override name="fromDate" optional="true"/> >> </service> >> @@ -422,7 +422,7 @@ under the License. >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> <service name="isInvoiceInForeignCurrency" engine="simple" >> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" >> invoke="isInvoiceInForeignCurrency" auth="true"> >> >> Modified: ofbiz/trunk/applications/content/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/content/servicedef/services.xml (original) +++ ofbiz/trunk/applications/content/servicedef/services.xml >> Mon Oct 28 12:12:43 2013 @@ -291,12 +291,12 @@ >> >> <service name="createSimpleTextContent" engine="simple" >> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="createSimpleTextContent"> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >> <override name="contentId" mode="INOUT"/> >> </service> >> <service name="updateSimpleTextContent" engine="simple" >> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="updateSimpleTextContent"> >> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" >> mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" >> allow-html="any"/> </service> >> >> <!-- Util --> >> @@ -452,7 +452,7 @@ >> <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> >> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >> - <override name="textData" allow-html="safe"/> >> + <override name="textData" allow-html="any"/> >> </service> >> >> <service name="persistDataResourceAndData" engine="java" >> @@ -1052,8 +1052,8 @@ >> <attribute name="statusId" type="String" mode="IN" optional="true"/> >> <attribute name="description" type="String" mode="IN" optional="true"/> >> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> <service name="updateBlogEntry" engine="simple" auth="true" >> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="updateBlogEntry"> >> @@ -1065,8 +1065,8 @@ >> <attribute name="statusId" type="String" mode="IN" optional="true"/> >> <attribute name="description" type="String" mode="IN" optional="true"/> >> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> <service name="getBlogEntry" engine="simple" auth="true" >> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="getBlogEntry"> >> >> Modified: ofbiz/trunk/applications/content/servicedef/services_content.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_content.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/content/servicedef/services_content.xml (original) +++ >> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ >> <attribute name="fromDate" type="Timestamp" mode="IN" optional="true"/> >> <attribute name="sequenceNum" type="Long" mode="IN" optional="true"/> >> <override name="contentTypeId" default-value="DOCUMENT"/> >> - <override name="contentName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="contentName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> >> <service name="createTextAndUploadedContent" engine="simple" auth="true" >> @@ -131,8 +131,8 @@ >> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >> <!-- end of depricated fields --> >> - <override name="contentName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="contentName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> >> <service name="updateTextContent" engine="group" auth="true"> >> >> Modified: ofbiz/trunk/applications/content/servicedef/services_data.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_data.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/content/servicedef/services_data.xml (original) +++ >> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ >> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >> <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> >> - <override name="objectInfo" allow-html="safe"/> >> - <override name="dataResourceName" allow-html="safe"/> >> + <override name="objectInfo" allow-html="any"/> >> + <override name="dataResourceName" allow-html="any"/> >> </service> >> <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" >> location="component://content/script/org/ofbiz/content/data/DataServices.xml" >> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 +59,8 @@ >> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >> - <override name="objectInfo" allow-html="safe"/> >> - <override name="dataResourceName" allow-html="safe"/> >> + <override name="objectInfo" allow-html="any"/> >> + <override name="dataResourceName" allow-html="any"/> >> </service> >> <service name="removeDataResource" engine="simple" default-entity-name="DataResource" auth="true" >> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="deleteDataResource"> >> @@ -90,7 +90,7 @@ >> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >> <auto-attributes include="pk" mode="INOUT" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> >> + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> >> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >> @@ -100,7 +100,7 @@ >> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >> <auto-attributes include="pk" mode="IN" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> >> + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> >> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >> @@ -115,7 +115,7 @@ >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> >> - <override name="textData" allow-html="safe"/> >> + <override name="textData" allow-html="any"/> >> </service> >> <service name="updateElectronicText" default-entity-name="ElectronicText" engine="simple" >> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="updateElectronicText" >> auth="true"> @@ -124,7 +124,7 @@ >> <auto-attributes include="pk" mode="INOUT" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is >> belonging to --> - <override name="textData" allow-html="safe"/> >> + <override name="textData" allow-html="any"/> >> </service> >> <service name="removeElectronicText" default-entity-name="ElectronicText" engine="simple" >> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="removeElectronicText" >> auth="true"> >> >> Modified: ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml (original) +++ >> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the >> License. </auto-attributes> >> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >> - <override name="opportunityName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> - <override name="nextStep" allow-html="safe"/> >> + <override name="opportunityName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> + <override name="nextStep" allow-html="any"/> >> </service> >> <service name="updateSalesOpportunity" engine="simple" default-entity-name="SalesOpportunity" >> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> >> @@ -89,9 +89,9 @@ under the License. >> <auto-attributes mode="IN" include="nonpk" optional="true"/> >> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >> - <override name="opportunityName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> - <override name="nextStep" allow-html="safe"/> >> + <override name="opportunityName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> + <override name="nextStep" allow-html="any"/> >> </service> >> <service name="createSalesOpportunityRole" engine="simple" default-entity-name="SalesOpportunityRole" >> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" >> invoke="createSalesOpportunityRole"> >> >> Modified: ofbiz/trunk/applications/order/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/order/servicedef/services.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services.xml Mon >> Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. >> location="org.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> >> <description>Create a note item and associate with a order header</description> >> <attribute name="orderId" type="String" mode="IN"/> >> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >> <attribute name="internalNote" type="String" mode="IN"/> >> <attribute name="noteName" type="String" mode="IN" optional="true"/> >> </service> >> >> Modified: ofbiz/trunk/applications/order/servicedef/services_quote.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_quote.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/order/servicedef/services_quote.xml (original) +++ >> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. >> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" invoke="createQuoteNote" auth="true"> >> <description>Create a note item and associate with a quote</description> >> <attribute name="quoteId" type="String" mode="IN"/> >> - <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> >> + <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> >> <attribute name="noteName" type="String" mode="IN" optional="true"/> >> </service> >> </services> >> >> Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/order/servicedef/services_request.xml (original) +++ >> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >> - <override name="custRequestName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> - <override name="story" allow-html="safe"/> >> + <override name="custRequestName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> + <override name="story" allow-html="any"/> >> </service> >> <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" >> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequest" >> auth="true"> @@ -52,10 +52,10 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <attribute name="oldStatusId" type="String" mode="OUT"/> >> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >> - <override name="custRequestName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="custRequestName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> >> <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" >> @@ -86,16 +86,16 @@ under the License. >> <auto-attributes include="pk" mode="INOUT" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <override name="custRequestItemSeqId" optional="true"/> >> - <override name="story" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="story" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" >> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestItem" >> auth="true"> <description>Update a CustRequestItem record</description> >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="story" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="story" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" >> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="copyCustRequestItem" >> auth="true"> @@ -129,7 +129,7 @@ under the License. >> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="createCustRequestNote" >> auth="true"> <description>Create a note for a CustRequest</description> >> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >> - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> >> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >> @@ -138,7 +138,7 @@ under the License. >> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestNote" >> auth="true"> <description>Update CustRequest Note</description> >> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >> - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> >> <attribute name="noteInfo" type="String" mode="IN" optional="true"/> >> </service> >> <service name="createCustRequestItemNote" engine="simple" >> @@ -146,7 +146,7 @@ under the License. >> <description>Create a note for a CustRequestItem</description> >> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >> <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> >> - <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> >> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >> <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> >> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >> @@ -178,7 +178,7 @@ under the License. >> <description>Set the Customer Request Status</description> >> <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> >> <attribute name="statusId" type="String" mode="IN" optional="false"/> >> - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> >> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> >> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >> @@ -192,9 +192,9 @@ under the License. >> <attribute name="custRequestId" mode="IN" type="String" optional="true"/> >> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> >> <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> >> - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> >> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >> - <override name="content" allow-html="safe"/> >> + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> >> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >> + <override name="content" allow-html="any"/> >> </service> >> >> <!-- custRequest content services --> >> >> Modified: ofbiz/trunk/applications/party/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/party/servicedef/services.xml (original) +++ ofbiz/trunk/applications/party/servicedef/services.xml Mon >> Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. >> <attribute name="externalId" type="String" mode="IN" optional="true"/> >> <attribute name="statusId" type="String" mode="IN" optional="true"/> >> <override name="groupName" optional="false"/> >> - <override name="comments" allow-html="safe"/> >> + <override name="comments" allow-html="any"/> >> </service> >> <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" >> location="org.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> >> @@ -133,7 +133,7 @@ under the License. >> <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> >> <attribute name="externalId" type="String" mode="IN" optional="true"/> >> <attribute name="statusId" type="String" mode="IN" optional="true"/> >> - <override name="comments" allow-html="safe"/> >> + <override name="comments" allow-html="any"/> >> </service> >> >> <service name="savePartyNameChange" engine="simple" >> @@ -379,7 +379,7 @@ under the License. >> <description>create a company/contact relationship and add the related roles</description> >> <attribute name="accountPartyId" type="String" mode="IN"/> >> <attribute name="contactPartyId" type="String" mode="IN"/> >> - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> >> <!-- ContactMech services --> >> @@ -768,9 +768,9 @@ under the License. >> <attribute name="custRequestId" type="String" mode="IN" optional="true"/> >> <attribute name="action" type="String" mode="IN" optional="true"/><!-- to indicate any special action like: REPLY, >> REPLYALL, FORWARD or empty for no special action--> <override name="headerString" allow-html="any"/> >> - <override name="content" allow-html="safe"/> >> - <override name="messageId" allow-html="safe"/> >> - <override name="subject" allow-html="safe"/> >> + <override name="content" allow-html="any"/> >> + <override name="messageId" allow-html="any"/> >> + <override name="subject" allow-html="any"/> >> </service> >> <service name="createCommunicationEvent" engine="simple" >> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >> invoke="createCommunicationEventWithPermission" auth="true"> @@ -792,9 +792,9 @@ under the License. >> <auto-attributes entity-name="CommunicationEvent" include="nonpk" mode="IN" optional="true"/> >> <attribute name="contactMechPurposeTypeIdFrom" type="String" mode="IN" optional="true"><description>Set a specific >> purpose for the originator email</description></attribute> <attribute name="oldStatusId" type="String" mode="OUT" >> optional="true"/> >> - <override name="messageId" allow-html="safe"/> >> - <override name="content" allow-html="safe"/> >> - <override name="subject" allow-html="safe"/> >> + <override name="messageId" allow-html="any"/> >> + <override name="content" allow-html="any"/> >> + <override name="subject" allow-html="any"/> >> </service> >> <service name="deleteCommunicationEvent" engine="simple" >> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >> invoke="deleteCommunicationEvent" auth="true"> >> >> Modified: ofbiz/trunk/applications/product/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/product/servicedef/services.xml (original) +++ ofbiz/trunk/applications/product/servicedef/services.xml >> Mon Oct 28 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. >> <exclude field-name="lastModifiedDate"/> >> <exclude field-name="lastModifiedByUserLogin"/> >> </auto-attributes> >> - <override name="description" allow-html="safe"/> >> - <override name="longDescription" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> + <override name="longDescription" allow-html="any"/> >> </service> >> <service name="createProduct" default-entity-name="Product" engine="simple" >> location="component://product/script/org/ofbiz/product/product/ProductServices.xml" invoke="createProduct" >> auth="true"> @@ -70,8 +70,8 @@ under the License. >> <attribute name="oldProductId" type="String" mode="IN" optional="false"/> >> <attribute name="newInternalName" type="String" mode="IN" optional="true"/> >> <attribute name="newProductName" type="String" mode="IN" optional="true"/> >> - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >> - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> >> + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> >> <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> >> <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> >> @@ -392,7 +392,7 @@ under the License. >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> <attribute name="subject" type="String" mode="IN" optional="false"/> >> <attribute name="plainBody" type="String" mode="IN" optional="false"/> >> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >> <override name="contentId" optional="true" mode="INOUT"/> >> </service> >> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" >> @@ -405,7 +405,7 @@ under the License. >> <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> >> <attribute name="plainBody" type="String" mode="IN" optional="true"/> >> <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" >> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 +431,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >> <override name="contentId" optional="true"/> >> <override name="fromDate" optional="true"/> >> </service> >> @@ -441,13 +441,13 @@ under the License. >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> >> <service name="createSimpleTextContentForAlternateLocale" engine="simple" >> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >> invoke="createSimpleTextContentForAlternateLocale"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> <attribute name="mainContentId" type="String" mode="IN" optional="false"/> - <attribute name="text" type="String" >> mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" >> allow-html="any"/> <override name="localeString" optional="false"/> >> <override name="contentId" mode="INOUT"/> >> </service> >> @@ -967,7 +967,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >> <override name="contentId" optional="true"/> >> <override name="fromDate" optional="true"/> >> </service> >> @@ -977,7 +977,7 @@ under the License. >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> >> <service name="updateContentSEOForCategory" engine="simple" >> @@ -1201,7 +1201,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="true"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >> <override name="contentId" optional="true"/> >> </service> >> <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" >> @@ -1210,7 +1210,7 @@ under the License. >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >> </service> >> <service name="getProductFeaturesByType" engine="java" >> location="org.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> >> >> Modified: ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml (original) +++ >> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the >> License. <exclude field-name="lastModifiedByUserLogin"/> >> </auto-attributes> >> <override name="promoName" optional="false"/> >> - <override name="promoText" allow-html="safe"/> >> + <override name="promoText" allow-html="any"/> >> </service> >> <service name="updateProductPromo" default-entity-name="ProductPromo" engine="simple" >> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="updateProductPromo" >> auth="true"> @@ -150,7 +150,7 @@ under the License. >> <exclude field-name="lastModifiedDate"/> >> <exclude field-name="lastModifiedByUserLogin"/> >> </auto-attributes> >> - <override name="promoText" allow-html="safe"/> >> + <override name="promoText" allow-html="any"/> >> </service> >> <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="simple" >> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="deleteProductPromo" >> auth="true"> >> >> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/applications/workeffort/servicedef/services.xml (original) +++ >> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. >> <exclude field-name="lastModifiedDate"/> >> <exclude field-name="lastModifiedByUserLogin"/> >> </auto-attributes> >> - <override name="workEffortName" allow-html="safe"/> >> - <override name="description" allow-html="safe"/> >> + <override name="workEffortName" allow-html="any"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" >> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. >> <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >> <override name="workEffortTypeId" optional="false"/> >> - <override name="workEffortName" optional="false" allow-html="safe"/> >> + <override name="workEffortName" optional="false" allow-html="any"/> >> <override name="currentStatusId" optional="false"/> >> - <override name="description" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" >> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false" entity-name="CustRequestWorkEffort"/> >> <auto-attributes include="all" mode="IN" optional="true" entity-name="CustRequest"/> >> <override name="custRequestId" optional="true" mode="INOUT"/> >> - <override name="description" allow-html="safe"/> >> + <override name="description" allow-html="any"/> >> </service> >> <service name="deleteWorkEffortRequest" engine="simple" >> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a CustRequestWorkEffort</description> >> >> Modified: ofbiz/trunk/framework/common/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ ofbiz/trunk/framework/common/servicedef/services.xml Mon Oct >> 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. >> <description>Create a new note record</description> >> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >> <attribute name="noteName" type="String" mode="IN" optional="true"/> >> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >> <attribute name="noteId" type="String" mode="OUT"/> >> </service> >> >> @@ -72,7 +72,7 @@ under the License. >> <description>Update a note record</description> >> <auto-attributes include="pk" mode="INOUT" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> - <override name="noteInfo" allow-html="safe"/> >> + <override name="noteInfo" allow-html="any"/> >> </service> >> >> <service name="adjustDebugLevels" engine="java" >> @@ -109,7 +109,7 @@ under the License. >> <auto-attributes include="pk" mode="OUT" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <override name="enumTypeId" optional="false"/> >> - <override name="description" optional="false" allow-html="safe"/> >> + <override name="description" optional="false" allow-html="any"/> >> </service> >> <service name="updateEnumeration" default-entity-name="Enumeration" engine="simple" >> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" invoke="updateEnumeration" auth="true"> >> @@ -118,7 +118,7 @@ under the License. >> <auto-attributes include="pk" mode="IN" optional="false"/> >> <auto-attributes include="nonpk" mode="IN" optional="true"/> >> <override name="enumTypeId" optional="false"/> >> - <override name="description" optional="false" allow-html="safe"/> >> + <override name="description" optional="false" allow-html="any"/> >> </service> >> <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> >> <description>Delete a Enumeration</description> >> >> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/framework/common/servicedef/services_email.xml (original) +++ >> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. >> <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> >> <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> >> <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> >> - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> >> + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> >> <attribute name="contentType" type="String" mode="INOUT" optional="true"/> >> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >> <attribute name="messageId" type="String" mode="INOUT" optional="true"/> >> @@ -56,7 +56,7 @@ under the License. >> <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> >> <description>Interface service for sendMail* services.</description> >> <implements service="sendMailInterface"/> >> - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="safe"/> >> + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> >> <override name="contentType" mode="INOUT"/> >> <override name="subject" mode="INOUT" optional="false"/> >> <override name="emailType" type="String" mode="INOUT" optional="true"/> >> @@ -98,12 +98,12 @@ under the License. >> <implements service="sendMailInterface"/> >> <attribute name="bodyUrl" type="String" mode="IN" optional="false"/> >> <attribute name="bodyUrlParameters" type="Map" mode="IN" optional="true"/> >> - <attribute name="body" type="String" mode="OUT" optional="false" allow-html="safe"/> >> + <attribute name="body" type="String" mode="OUT" optional="false" allow-html="any"/> >> </service> >> <service name="sendMailFromScreenInterface" engine="interface" location="" invoke=""> >> <description>Interface service for E-Mail sent From Screen Widget</description> >> <implements service="sendMailInterface"/> >> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="bodyScreenUri" type="String" mode="IN" optional="true"/> >> <attribute name="xslfoAttachScreenLocation" type="String" mode="IN" optional="true"/> >> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >> @@ -132,7 +132,7 @@ under the License. >> <implements service="sendMailInterface"/> >> <attribute name="emailTemplateSettingId" type="String" mode="IN" optional="false"/> >> <attribute name="partyIdTo" type="String" mode="IN" optional="true"/> >> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >> <attribute name="bodyParameters" type="Map" mode="IN" optional="true"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >> @@ -143,8 +143,8 @@ under the License. >> location="" invoke=""> >> <description>Send Template Based Notification Service</description> >> <implements service="sendMailInterface"/> >> - <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="safe"/> >> - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> >> + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="templateName" type="String" mode="IN" optional="false"/> >> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >> @@ -153,7 +153,7 @@ under the License. >> location="" invoke=""> >> <description>Send Template Based Notification Service</description> >> <implements service="prepareNotificationInterface"/> >> - <attribute name="body" type="String" mode="IN" optional="true" allow-html="safe"/> >> + <attribute name="body" type="String" mode="IN" optional="true" allow-html="any"/> >> <attribute name="templateName" type="String" mode="IN" optional="false"/> >> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >> >> Modified: ofbiz/trunk/framework/service/dtd/services.xsd >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== >> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) >> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 12:12:43 2013 >> @@ -106,6 +106,7 @@ under the License. >> If set to true and there is a transaction already in place the Service Engine will suspend that transaction, >> begin a new one just for this service, commit or rollback the local transaction when the service is >> complete, and will resume the original transaction. If set to true and there is no transaction already in >> place it will just begin a transaction and manage it as would be done for a normal user-transaction=true. If >> use-transaction=false this setting is ignored. + Beware: using require-new-transaction=true >> in a service called (maybe not directly) by a pre-invoke or earlier event ( preprocessor, firstvisit and so on) is >> not yet supported. </xs:documentation> </xs:annotation> <xs:simpleType> >> @@ -348,11 +349,18 @@ under the License. >> </xs:simpleType> >> </xs:attribute> >> <xs:attribute name="allow-html" use="optional" default="none"> >> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" >> element.</xs:documentation></xs:annotation> + <xs:annotation> >> + <xs:documentation> >> + Applies only to String fields. >> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >> validating input from users, other systems, etc). + Defaults to "none" meaning no HTML is allowed (will >> result in an error message). + If some HTML is desired then use "any". >> + There was previously "safe" but it's deprecated >> + </xs:documentation> >> + </xs:annotation> >> <xs:simpleType> >> <xs:restriction base="xs:token"> >> <xs:enumeration value="any"/> >> - <xs:enumeration value="safe"/> >> <xs:enumeration value="none"/> >> </xs:restriction> >> </xs:simpleType> >> @@ -424,13 +432,12 @@ under the License. >> Applies only to String fields. >> Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating >> input from users, other systems, etc). Defaults to "none" meaning no HTML is allowed (will result in an error >> message). >> - If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should >> be safe for both internal and public users. >> - In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check >> the HTML content at all. + If some HTML is desired then use "any". >> + There was previously "safe" but it's deprecated >> </xs:documentation></xs:annotation> >> <xs:simpleType> >> <xs:restriction base="xs:token"> >> <xs:enumeration value="any"/> >> - <xs:enumeration value="safe"/> >> <xs:enumeration value="none"/> >> </xs:restriction> >> </xs:simpleType> >> @@ -477,11 +484,18 @@ under the License. >> </xs:simpleType> >> </xs:attribute> >> <xs:attribute name="allow-html" use="optional"> >> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note >> that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> + <xs:annotation> >> + <xs:documentation> >> + Applies only to String fields. >> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >> validating input from users, other systems, etc). + There is no default, "none" means no HTML is allowed >> (will result in an error message). + If some HTML is desired then use "any". >> + There was previously "safe" but it's deprecated >> + </xs:documentation> >> + </xs:annotation> >> <xs:simpleType> >> <xs:restriction base="xs:token"> >> <xs:enumeration value="any"/> >> - <xs:enumeration value="safe"/> >> <xs:enumeration value="none"/> >> </xs:restriction> >> </xs:simpleType> >> >> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) +++ >> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public >> class ModelService extends Abstra // required and type validation complete, do allow-html validation >> if ("IN".equals(mode)) { >> List<String> errorMessageList = FastList.newInstance(); >> - for (ModelParam modelParam: this.contextInfo.values()) { >> - if (context.get(modelParam.name) != null && >> - ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && >> - !"any".equals(modelParam.allowHtml) && >> - ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { >> - // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input >> parameter validation + for (ModelParam modelParam : this.contextInfo.values()) { >> + // the param is a String, allow-html is not any, and we are looking at an IN parameter during input parameter >> validation + if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || >> "java.lang.String".equals(modelParam.type)) + && !"any".equals(modelParam.allowHtml) && >> ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { String value = (String) >> context.get(modelParam.name); >> - if ("none".equals(modelParam.allowHtml)) { >> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >> - } else if ("safe".equals(modelParam.allowHtml)) { >> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); >> - } >> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >> } >> } >> if (errorMessageList.size() > 0) { >> >> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >> URL: >> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >> ============================================================================== --- >> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml (original) +++ >> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. >> <attribute name="itemId" mode="IN" type="String" optional="false"/> >> <attribute name="listingType" mode="IN" type="String" optional="true"/> >> <attribute name="title" mode="IN" type="String" optional="true"/> >> - <attribute name="description" mode="IN" type="String" allow-html="safe"/> >> + <attribute name="description" mode="IN" type="String" allow-html="any"/> >> <attribute name="price" mode="IN" type="String" optional="true"/> >> <attribute name="currencyId" mode="IN" type="String" optional="true"/> >> <attribute mode="IN" name="imageData" optional="true" type="java.nio.ByteBuffer"/> |
"safe" should not have been deprecated. The input should have just been cleansed as an interim measure until a better solution could be found.
Regards Scott On 27/12/2013, at 9:37 PM, Jacques Le Roux wrote: > I agree, it's in my long TODO list... > > Jacques > > On Friday, December 27, 2013 8:43 PM [hidden email] wrote >> This is not a fix, the problem was that "safe" wasn't filtering unsafe html or returning an error. Taking all "safe" input >> parameters and making them "any" because "safe" wasn't working as intended is a bit silly to say the least. >> >> Regards >> Scott >> >> On 28/10/2013, at 12:12 PM, [hidden email] wrote: >> >>> Author: jleroux >>> Date: Mon Oct 28 12:12:43 2013 >>> New Revision: 1536324 >>> >>> URL: http://svn.apache.org/r1536324 >>> Log: >>> Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> >>> https://issues.apache.org/jira/browse/OFBIZ-5254 >>> >>> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning >>> message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or >>> as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any". >>> >>> This >>> * Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward >>> compatibility, else we could completely remove the misleading "safe". Note that "none" is the default. >>> * Replaces in services definition all allow-html="safe" by allow-html="any" >>> * Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log >>> >>> Modified: >>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>> ofbiz/trunk/applications/content/servicedef/services.xml >>> ofbiz/trunk/applications/content/servicedef/services_content.xml >>> ofbiz/trunk/applications/content/servicedef/services_data.xml >>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>> ofbiz/trunk/applications/order/servicedef/services.xml >>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >>> ofbiz/trunk/applications/order/servicedef/services_request.xml >>> ofbiz/trunk/applications/party/servicedef/services.xml >>> ofbiz/trunk/applications/product/servicedef/services.xml >>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >>> ofbiz/trunk/framework/common/servicedef/services.xml >>> ofbiz/trunk/framework/common/servicedef/services_email.xml >>> ofbiz/trunk/framework/service/dtd/services.xsd >>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>> >>> Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml (original) +++ >>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the >>> License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes include="pk" mode="OUT" optional="true"/> >>> - <override name="textData" allow-html="safe"/> >>> + <override name="textData" allow-html="any"/> >>> </service> >>> <service name="updateAgreement" default-entity-name="Agreement" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the License. >>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="textData" allow-html="safe"/> >>> + <override name="textData" allow-html="any"/> >>> </service> >>> <service name="cancelAgreement" default-entity-name="Agreement" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the License. >>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="agreementText" allow-html="safe"/> >>> + <override name="agreementText" allow-html="any"/> >>> </service> >>> <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the License. >>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>> <auto-attributes include="pk" mode="IN" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="agreementText" allow-html="safe"/> >>> + <override name="agreementText" allow-html="any"/> >>> </service> >>> <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the License. >>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="textValue" allow-html="safe"/> >>> + <override name="textValue" allow-html="any"/> >>> </service> >>> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the License. >>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>> <auto-attributes include="pk" mode="IN" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="textValue" allow-html="safe"/> >>> + <override name="textValue" allow-html="any"/> >>> </service> >>> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>> invoke="deleteAgreementTerm" auth="true"> >>> >>> Modified: ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml (original) +++ >>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the License. >>> <override name="invoiceTypeId" mode="IN" optional="false"/> >>> <override name="partyIdFrom" mode = "IN" optional="false"/> >>> <override name="partyId" mode = "IN" optional="false"/> >>> - <override name="description" allow-html="safe"/> >>> - <override name="invoiceMessage" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="invoiceMessage" allow-html="any"/> >>> </service> >>> <service name="copyInvoice" engine="simple" default-entity-name="Invoice" >>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> >>> @@ -80,8 +80,8 @@ under the License. >>> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >>> <auto-attributes mode="IN" include="pk" optional="false"/> >>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>> - <override name="description" allow-html="safe"/> >>> - <override name="invoiceMessage" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="invoiceMessage" allow-html="any"/> >>> </service> >>> <service name="setInvoiceStatus" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> >>> @@ -117,7 +117,7 @@ under the License. >>> <auto-attributes mode="IN" include="pk" optional="false"/> >>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>> <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> >>> - <override name="description" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> >>> @@ -125,7 +125,7 @@ under the License. >>> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >>> <auto-attributes mode="INOUT" include="pk" optional="false"/> >>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> >>> @@ -276,7 +276,7 @@ under the License. >>> <attribute name="sendTo" type="String" mode="IN" optional="false"/> >>> <attribute name="sendCc" type="String" mode="IN" optional="true"/> >>> <attribute name="subject" type="String" mode="IN" optional="true"/> >>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="other" type="String" mode="IN" optional="true"/><!-- to send the invoice in the 'other' currency (y) --> >>> </service> >>> <service name="checkInvoicePaymentApplications" engine="java" >>> @@ -412,7 +412,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>> <override name="contentId" optional="true"/> >>> <override name="fromDate" optional="true"/> >>> </service> >>> @@ -422,7 +422,7 @@ under the License. >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> <service name="isInvoiceInForeignCurrency" engine="simple" >>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" >>> invoke="isInvoiceInForeignCurrency" auth="true"> >>> >>> Modified: ofbiz/trunk/applications/content/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/content/servicedef/services.xml (original) +++ ofbiz/trunk/applications/content/servicedef/services.xml >>> Mon Oct 28 12:12:43 2013 @@ -291,12 +291,12 @@ >>> >>> <service name="createSimpleTextContent" engine="simple" >>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="createSimpleTextContent"> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>> <override name="contentId" mode="INOUT"/> >>> </service> >>> <service name="updateSimpleTextContent" engine="simple" >>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="updateSimpleTextContent"> >>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" >>> mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" >>> allow-html="any"/> </service> >>> >>> <!-- Util --> >>> @@ -452,7 +452,7 @@ >>> <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> >>> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >>> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >>> - <override name="textData" allow-html="safe"/> >>> + <override name="textData" allow-html="any"/> >>> </service> >>> >>> <service name="persistDataResourceAndData" engine="java" >>> @@ -1052,8 +1052,8 @@ >>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>> <attribute name="description" type="String" mode="IN" optional="true"/> >>> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >>> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >>> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> <service name="updateBlogEntry" engine="simple" auth="true" >>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="updateBlogEntry"> >>> @@ -1065,8 +1065,8 @@ >>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>> <attribute name="description" type="String" mode="IN" optional="true"/> >>> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >>> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >>> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> <service name="getBlogEntry" engine="simple" auth="true" >>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="getBlogEntry"> >>> >>> Modified: ofbiz/trunk/applications/content/servicedef/services_content.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_content.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/content/servicedef/services_content.xml (original) +++ >>> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ >>> <attribute name="fromDate" type="Timestamp" mode="IN" optional="true"/> >>> <attribute name="sequenceNum" type="Long" mode="IN" optional="true"/> >>> <override name="contentTypeId" default-value="DOCUMENT"/> >>> - <override name="contentName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="contentName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> >>> <service name="createTextAndUploadedContent" engine="simple" auth="true" >>> @@ -131,8 +131,8 @@ >>> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >>> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >>> <!-- end of depricated fields --> >>> - <override name="contentName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="contentName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> >>> <service name="updateTextContent" engine="group" auth="true"> >>> >>> Modified: ofbiz/trunk/applications/content/servicedef/services_data.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_data.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/content/servicedef/services_data.xml (original) +++ >>> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ >>> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >>> <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> >>> - <override name="objectInfo" allow-html="safe"/> >>> - <override name="dataResourceName" allow-html="safe"/> >>> + <override name="objectInfo" allow-html="any"/> >>> + <override name="dataResourceName" allow-html="any"/> >>> </service> >>> <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" >>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" >>> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 +59,8 @@ >>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >>> - <override name="objectInfo" allow-html="safe"/> >>> - <override name="dataResourceName" allow-html="safe"/> >>> + <override name="objectInfo" allow-html="any"/> >>> + <override name="dataResourceName" allow-html="any"/> >>> </service> >>> <service name="removeDataResource" engine="simple" default-entity-name="DataResource" auth="true" >>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="deleteDataResource"> >>> @@ -90,7 +90,7 @@ >>> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> >>> + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> >>> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >>> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>> @@ -100,7 +100,7 @@ >>> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >>> <auto-attributes include="pk" mode="IN" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> >>> + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> >>> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >>> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>> @@ -115,7 +115,7 @@ >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> >>> - <override name="textData" allow-html="safe"/> >>> + <override name="textData" allow-html="any"/> >>> </service> >>> <service name="updateElectronicText" default-entity-name="ElectronicText" engine="simple" >>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="updateElectronicText" >>> auth="true"> @@ -124,7 +124,7 @@ >>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is >>> belonging to --> - <override name="textData" allow-html="safe"/> >>> + <override name="textData" allow-html="any"/> >>> </service> >>> <service name="removeElectronicText" default-entity-name="ElectronicText" engine="simple" >>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="removeElectronicText" >>> auth="true"> >>> >>> Modified: ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml (original) +++ >>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the >>> License. </auto-attributes> >>> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >>> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >>> - <override name="opportunityName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> - <override name="nextStep" allow-html="safe"/> >>> + <override name="opportunityName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="nextStep" allow-html="any"/> >>> </service> >>> <service name="updateSalesOpportunity" engine="simple" default-entity-name="SalesOpportunity" >>> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> >>> @@ -89,9 +89,9 @@ under the License. >>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >>> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >>> - <override name="opportunityName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> - <override name="nextStep" allow-html="safe"/> >>> + <override name="opportunityName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="nextStep" allow-html="any"/> >>> </service> >>> <service name="createSalesOpportunityRole" engine="simple" default-entity-name="SalesOpportunityRole" >>> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" >>> invoke="createSalesOpportunityRole"> >>> >>> Modified: ofbiz/trunk/applications/order/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/order/servicedef/services.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services.xml Mon >>> Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. >>> location="org.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> >>> <description>Create a note item and associate with a order header</description> >>> <attribute name="orderId" type="String" mode="IN"/> >>> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >>> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >>> <attribute name="internalNote" type="String" mode="IN"/> >>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>> </service> >>> >>> Modified: ofbiz/trunk/applications/order/servicedef/services_quote.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_quote.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/order/servicedef/services_quote.xml (original) +++ >>> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. >>> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" invoke="createQuoteNote" auth="true"> >>> <description>Create a note item and associate with a quote</description> >>> <attribute name="quoteId" type="String" mode="IN"/> >>> - <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> >>> + <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> >>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>> </service> >>> </services> >>> >>> Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/order/servicedef/services_request.xml (original) +++ >>> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>> - <override name="custRequestName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> - <override name="story" allow-html="safe"/> >>> + <override name="custRequestName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="story" allow-html="any"/> >>> </service> >>> <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" >>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequest" >>> auth="true"> @@ -52,10 +52,10 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <attribute name="oldStatusId" type="String" mode="OUT"/> >>> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >>> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>> - <override name="custRequestName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="custRequestName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> >>> <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" >>> @@ -86,16 +86,16 @@ under the License. >>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <override name="custRequestItemSeqId" optional="true"/> >>> - <override name="story" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="story" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" >>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestItem" >>> auth="true"> <description>Update a CustRequestItem record</description> >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="story" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="story" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" >>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="copyCustRequestItem" >>> auth="true"> @@ -129,7 +129,7 @@ under the License. >>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="createCustRequestNote" >>> auth="true"> <description>Create a note for a CustRequest</description> >>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>> - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> >>> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >>> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>> @@ -138,7 +138,7 @@ under the License. >>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestNote" >>> auth="true"> <description>Update CustRequest Note</description> >>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>> - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> >>> <attribute name="noteInfo" type="String" mode="IN" optional="true"/> >>> </service> >>> <service name="createCustRequestItemNote" engine="simple" >>> @@ -146,7 +146,7 @@ under the License. >>> <description>Create a note for a CustRequestItem</description> >>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>> <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> >>> - <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> >>> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> >>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >>> @@ -178,7 +178,7 @@ under the License. >>> <description>Set the Customer Request Status</description> >>> <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> >>> <attribute name="statusId" type="String" mode="IN" optional="false"/> >>> - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> >>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>> @@ -192,9 +192,9 @@ under the License. >>> <attribute name="custRequestId" mode="IN" type="String" optional="true"/> >>> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> >>> <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> >>> - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> >>> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >>> - <override name="content" allow-html="safe"/> >>> + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> >>> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >>> + <override name="content" allow-html="any"/> >>> </service> >>> >>> <!-- custRequest content services --> >>> >>> Modified: ofbiz/trunk/applications/party/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/party/servicedef/services.xml (original) +++ ofbiz/trunk/applications/party/servicedef/services.xml Mon >>> Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. >>> <attribute name="externalId" type="String" mode="IN" optional="true"/> >>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>> <override name="groupName" optional="false"/> >>> - <override name="comments" allow-html="safe"/> >>> + <override name="comments" allow-html="any"/> >>> </service> >>> <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" >>> location="org.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> >>> @@ -133,7 +133,7 @@ under the License. >>> <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> >>> <attribute name="externalId" type="String" mode="IN" optional="true"/> >>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>> - <override name="comments" allow-html="safe"/> >>> + <override name="comments" allow-html="any"/> >>> </service> >>> >>> <service name="savePartyNameChange" engine="simple" >>> @@ -379,7 +379,7 @@ under the License. >>> <description>create a company/contact relationship and add the related roles</description> >>> <attribute name="accountPartyId" type="String" mode="IN"/> >>> <attribute name="contactPartyId" type="String" mode="IN"/> >>> - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> >>> <!-- ContactMech services --> >>> @@ -768,9 +768,9 @@ under the License. >>> <attribute name="custRequestId" type="String" mode="IN" optional="true"/> >>> <attribute name="action" type="String" mode="IN" optional="true"/><!-- to indicate any special action like: REPLY, >>> REPLYALL, FORWARD or empty for no special action--> <override name="headerString" allow-html="any"/> >>> - <override name="content" allow-html="safe"/> >>> - <override name="messageId" allow-html="safe"/> >>> - <override name="subject" allow-html="safe"/> >>> + <override name="content" allow-html="any"/> >>> + <override name="messageId" allow-html="any"/> >>> + <override name="subject" allow-html="any"/> >>> </service> >>> <service name="createCommunicationEvent" engine="simple" >>> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >>> invoke="createCommunicationEventWithPermission" auth="true"> @@ -792,9 +792,9 @@ under the License. >>> <auto-attributes entity-name="CommunicationEvent" include="nonpk" mode="IN" optional="true"/> >>> <attribute name="contactMechPurposeTypeIdFrom" type="String" mode="IN" optional="true"><description>Set a specific >>> purpose for the originator email</description></attribute> <attribute name="oldStatusId" type="String" mode="OUT" >>> optional="true"/> >>> - <override name="messageId" allow-html="safe"/> >>> - <override name="content" allow-html="safe"/> >>> - <override name="subject" allow-html="safe"/> >>> + <override name="messageId" allow-html="any"/> >>> + <override name="content" allow-html="any"/> >>> + <override name="subject" allow-html="any"/> >>> </service> >>> <service name="deleteCommunicationEvent" engine="simple" >>> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >>> invoke="deleteCommunicationEvent" auth="true"> >>> >>> Modified: ofbiz/trunk/applications/product/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/product/servicedef/services.xml (original) +++ ofbiz/trunk/applications/product/servicedef/services.xml >>> Mon Oct 28 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. >>> <exclude field-name="lastModifiedDate"/> >>> <exclude field-name="lastModifiedByUserLogin"/> >>> </auto-attributes> >>> - <override name="description" allow-html="safe"/> >>> - <override name="longDescription" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> + <override name="longDescription" allow-html="any"/> >>> </service> >>> <service name="createProduct" default-entity-name="Product" engine="simple" >>> location="component://product/script/org/ofbiz/product/product/ProductServices.xml" invoke="createProduct" >>> auth="true"> @@ -70,8 +70,8 @@ under the License. >>> <attribute name="oldProductId" type="String" mode="IN" optional="false"/> >>> <attribute name="newInternalName" type="String" mode="IN" optional="true"/> >>> <attribute name="newProductName" type="String" mode="IN" optional="true"/> >>> - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >>> - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> >>> + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> >>> <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> >>> <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> >>> @@ -392,7 +392,7 @@ under the License. >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> <attribute name="subject" type="String" mode="IN" optional="false"/> >>> <attribute name="plainBody" type="String" mode="IN" optional="false"/> >>> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >>> <override name="contentId" optional="true" mode="INOUT"/> >>> </service> >>> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" >>> @@ -405,7 +405,7 @@ under the License. >>> <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> >>> <attribute name="plainBody" type="String" mode="IN" optional="true"/> >>> <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" >>> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >>> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 +431,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>> <override name="contentId" optional="true"/> >>> <override name="fromDate" optional="true"/> >>> </service> >>> @@ -441,13 +441,13 @@ under the License. >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> >>> <service name="createSimpleTextContentForAlternateLocale" engine="simple" >>> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >>> invoke="createSimpleTextContentForAlternateLocale"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> <attribute name="mainContentId" type="String" mode="IN" optional="false"/> - <attribute name="text" type="String" >>> mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" >>> allow-html="any"/> <override name="localeString" optional="false"/> >>> <override name="contentId" mode="INOUT"/> >>> </service> >>> @@ -967,7 +967,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>> <override name="contentId" optional="true"/> >>> <override name="fromDate" optional="true"/> >>> </service> >>> @@ -977,7 +977,7 @@ under the License. >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> >>> <service name="updateContentSEOForCategory" engine="simple" >>> @@ -1201,7 +1201,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="true"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>> <override name="contentId" optional="true"/> >>> </service> >>> <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" >>> @@ -1210,7 +1210,7 @@ under the License. >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>> </service> >>> <service name="getProductFeaturesByType" engine="java" >>> location="org.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> >>> >>> Modified: ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml (original) +++ >>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the >>> License. <exclude field-name="lastModifiedByUserLogin"/> >>> </auto-attributes> >>> <override name="promoName" optional="false"/> >>> - <override name="promoText" allow-html="safe"/> >>> + <override name="promoText" allow-html="any"/> >>> </service> >>> <service name="updateProductPromo" default-entity-name="ProductPromo" engine="simple" >>> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="updateProductPromo" >>> auth="true"> @@ -150,7 +150,7 @@ under the License. >>> <exclude field-name="lastModifiedDate"/> >>> <exclude field-name="lastModifiedByUserLogin"/> >>> </auto-attributes> >>> - <override name="promoText" allow-html="safe"/> >>> + <override name="promoText" allow-html="any"/> >>> </service> >>> <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="simple" >>> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="deleteProductPromo" >>> auth="true"> >>> >>> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/applications/workeffort/servicedef/services.xml (original) +++ >>> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. >>> <exclude field-name="lastModifiedDate"/> >>> <exclude field-name="lastModifiedByUserLogin"/> >>> </auto-attributes> >>> - <override name="workEffortName" allow-html="safe"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="workEffortName" allow-html="any"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" >>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. >>> <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>> <override name="workEffortTypeId" optional="false"/> >>> - <override name="workEffortName" optional="false" allow-html="safe"/> >>> + <override name="workEffortName" optional="false" allow-html="any"/> >>> <override name="currentStatusId" optional="false"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" >>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false" entity-name="CustRequestWorkEffort"/> >>> <auto-attributes include="all" mode="IN" optional="true" entity-name="CustRequest"/> >>> <override name="custRequestId" optional="true" mode="INOUT"/> >>> - <override name="description" allow-html="safe"/> >>> + <override name="description" allow-html="any"/> >>> </service> >>> <service name="deleteWorkEffortRequest" engine="simple" >>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a CustRequestWorkEffort</description> >>> >>> Modified: ofbiz/trunk/framework/common/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ ofbiz/trunk/framework/common/servicedef/services.xml Mon Oct >>> 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. >>> <description>Create a new note record</description> >>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >>> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >>> <attribute name="noteId" type="String" mode="OUT"/> >>> </service> >>> >>> @@ -72,7 +72,7 @@ under the License. >>> <description>Update a note record</description> >>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> - <override name="noteInfo" allow-html="safe"/> >>> + <override name="noteInfo" allow-html="any"/> >>> </service> >>> >>> <service name="adjustDebugLevels" engine="java" >>> @@ -109,7 +109,7 @@ under the License. >>> <auto-attributes include="pk" mode="OUT" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <override name="enumTypeId" optional="false"/> >>> - <override name="description" optional="false" allow-html="safe"/> >>> + <override name="description" optional="false" allow-html="any"/> >>> </service> >>> <service name="updateEnumeration" default-entity-name="Enumeration" engine="simple" >>> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" invoke="updateEnumeration" auth="true"> >>> @@ -118,7 +118,7 @@ under the License. >>> <auto-attributes include="pk" mode="IN" optional="false"/> >>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>> <override name="enumTypeId" optional="false"/> >>> - <override name="description" optional="false" allow-html="safe"/> >>> + <override name="description" optional="false" allow-html="any"/> >>> </service> >>> <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> >>> <description>Delete a Enumeration</description> >>> >>> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/framework/common/servicedef/services_email.xml (original) +++ >>> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. >>> <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> >>> <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> >>> <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> >>> - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> >>> + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> >>> <attribute name="contentType" type="String" mode="INOUT" optional="true"/> >>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >>> <attribute name="messageId" type="String" mode="INOUT" optional="true"/> >>> @@ -56,7 +56,7 @@ under the License. >>> <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> >>> <description>Interface service for sendMail* services.</description> >>> <implements service="sendMailInterface"/> >>> - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="safe"/> >>> + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> >>> <override name="contentType" mode="INOUT"/> >>> <override name="subject" mode="INOUT" optional="false"/> >>> <override name="emailType" type="String" mode="INOUT" optional="true"/> >>> @@ -98,12 +98,12 @@ under the License. >>> <implements service="sendMailInterface"/> >>> <attribute name="bodyUrl" type="String" mode="IN" optional="false"/> >>> <attribute name="bodyUrlParameters" type="Map" mode="IN" optional="true"/> >>> - <attribute name="body" type="String" mode="OUT" optional="false" allow-html="safe"/> >>> + <attribute name="body" type="String" mode="OUT" optional="false" allow-html="any"/> >>> </service> >>> <service name="sendMailFromScreenInterface" engine="interface" location="" invoke=""> >>> <description>Interface service for E-Mail sent From Screen Widget</description> >>> <implements service="sendMailInterface"/> >>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="bodyScreenUri" type="String" mode="IN" optional="true"/> >>> <attribute name="xslfoAttachScreenLocation" type="String" mode="IN" optional="true"/> >>> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >>> @@ -132,7 +132,7 @@ under the License. >>> <implements service="sendMailInterface"/> >>> <attribute name="emailTemplateSettingId" type="String" mode="IN" optional="false"/> >>> <attribute name="partyIdTo" type="String" mode="IN" optional="true"/> >>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >>> <attribute name="bodyParameters" type="Map" mode="IN" optional="true"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>> @@ -143,8 +143,8 @@ under the License. >>> location="" invoke=""> >>> <description>Send Template Based Notification Service</description> >>> <implements service="sendMailInterface"/> >>> - <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="safe"/> >>> - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> >>> + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="templateName" type="String" mode="IN" optional="false"/> >>> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>> @@ -153,7 +153,7 @@ under the License. >>> location="" invoke=""> >>> <description>Send Template Based Notification Service</description> >>> <implements service="prepareNotificationInterface"/> >>> - <attribute name="body" type="String" mode="IN" optional="true" allow-html="safe"/> >>> + <attribute name="body" type="String" mode="IN" optional="true" allow-html="any"/> >>> <attribute name="templateName" type="String" mode="IN" optional="false"/> >>> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>> >>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd >>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== >>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) >>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 12:12:43 2013 >>> @@ -106,6 +106,7 @@ under the License. >>> If set to true and there is a transaction already in place the Service Engine will suspend that transaction, >>> begin a new one just for this service, commit or rollback the local transaction when the service is >>> complete, and will resume the original transaction. If set to true and there is no transaction already in >>> place it will just begin a transaction and manage it as would be done for a normal user-transaction=true. If >>> use-transaction=false this setting is ignored. + Beware: using require-new-transaction=true >>> in a service called (maybe not directly) by a pre-invoke or earlier event ( preprocessor, firstvisit and so on) is >>> not yet supported. </xs:documentation> </xs:annotation> <xs:simpleType> >>> @@ -348,11 +349,18 @@ under the License. >>> </xs:simpleType> >>> </xs:attribute> >>> <xs:attribute name="allow-html" use="optional" default="none"> >>> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" >>> element.</xs:documentation></xs:annotation> + <xs:annotation> >>> + <xs:documentation> >>> + Applies only to String fields. >>> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >>> validating input from users, other systems, etc). + Defaults to "none" meaning no HTML is allowed (will >>> result in an error message). + If some HTML is desired then use "any". >>> + There was previously "safe" but it's deprecated >>> + </xs:documentation> >>> + </xs:annotation> >>> <xs:simpleType> >>> <xs:restriction base="xs:token"> >>> <xs:enumeration value="any"/> >>> - <xs:enumeration value="safe"/> >>> <xs:enumeration value="none"/> >>> </xs:restriction> >>> </xs:simpleType> >>> @@ -424,13 +432,12 @@ under the License. >>> Applies only to String fields. >>> Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating >>> input from users, other systems, etc). Defaults to "none" meaning no HTML is allowed (will result in an error >>> message). >>> - If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should >>> be safe for both internal and public users. >>> - In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check >>> the HTML content at all. + If some HTML is desired then use "any". >>> + There was previously "safe" but it's deprecated >>> </xs:documentation></xs:annotation> >>> <xs:simpleType> >>> <xs:restriction base="xs:token"> >>> <xs:enumeration value="any"/> >>> - <xs:enumeration value="safe"/> >>> <xs:enumeration value="none"/> >>> </xs:restriction> >>> </xs:simpleType> >>> @@ -477,11 +484,18 @@ under the License. >>> </xs:simpleType> >>> </xs:attribute> >>> <xs:attribute name="allow-html" use="optional"> >>> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note >>> that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> + <xs:annotation> >>> + <xs:documentation> >>> + Applies only to String fields. >>> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >>> validating input from users, other systems, etc). + There is no default, "none" means no HTML is allowed >>> (will result in an error message). + If some HTML is desired then use "any". >>> + There was previously "safe" but it's deprecated >>> + </xs:documentation> >>> + </xs:annotation> >>> <xs:simpleType> >>> <xs:restriction base="xs:token"> >>> <xs:enumeration value="any"/> >>> - <xs:enumeration value="safe"/> >>> <xs:enumeration value="none"/> >>> </xs:restriction> >>> </xs:simpleType> >>> >>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) +++ >>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public >>> class ModelService extends Abstra // required and type validation complete, do allow-html validation >>> if ("IN".equals(mode)) { >>> List<String> errorMessageList = FastList.newInstance(); >>> - for (ModelParam modelParam: this.contextInfo.values()) { >>> - if (context.get(modelParam.name) != null && >>> - ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && >>> - !"any".equals(modelParam.allowHtml) && >>> - ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { >>> - // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input >>> parameter validation + for (ModelParam modelParam : this.contextInfo.values()) { >>> + // the param is a String, allow-html is not any, and we are looking at an IN parameter during input parameter >>> validation + if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || >>> "java.lang.String".equals(modelParam.type)) + && !"any".equals(modelParam.allowHtml) && >>> ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { String value = (String) >>> context.get(modelParam.name); >>> - if ("none".equals(modelParam.allowHtml)) { >>> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >>> - } else if ("safe".equals(modelParam.allowHtml)) { >>> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); >>> - } >>> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >>> } >>> } >>> if (errorMessageList.size() > 0) { >>> >>> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>> URL: >>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>> ============================================================================== --- >>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml (original) +++ >>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. >>> <attribute name="itemId" mode="IN" type="String" optional="false"/> >>> <attribute name="listingType" mode="IN" type="String" optional="true"/> >>> <attribute name="title" mode="IN" type="String" optional="true"/> >>> - <attribute name="description" mode="IN" type="String" allow-html="safe"/> >>> + <attribute name="description" mode="IN" type="String" allow-html="any"/> >>> <attribute name="price" mode="IN" type="String" optional="true"/> >>> <attribute name="currencyId" mode="IN" type="String" optional="true"/> >>> <attribute mode="IN" name="imageData" optional="true" type="java.nio.ByteBuffer"/> |
Administrator
|
That's why https://issues.apache.org/jira/browse/OFBIZ-5254 is not closed, just resolved as incomplete. In other word it's a temporary unsatisfying solution.
The idea is to continue https://issues.apache.org/jira/browse/OFBIZ-5343 All good wills are welcome Jacques On Friday, December 27, 2013 11:20 PM [hidden email] wrote > "safe" should not have been deprecated. The input should have just been cleansed as an interim measure until a better solution > could be found. > > Regards > Scott > > On 27/12/2013, at 9:37 PM, Jacques Le Roux wrote: > >> I agree, it's in my long TODO list... >> >> Jacques >> >> On Friday, December 27, 2013 8:43 PM [hidden email] wrote >>> This is not a fix, the problem was that "safe" wasn't filtering unsafe html or returning an error. Taking all "safe" input >>> parameters and making them "any" because "safe" wasn't working as intended is a bit silly to say the least. >>> >>> Regards >>> Scott >>> >>> On 28/10/2013, at 12:12 PM, [hidden email] wrote: >>> >>>> Author: jleroux >>>> Date: Mon Oct 28 12:12:43 2013 >>>> New Revision: 1536324 >>>> >>>> URL: http://svn.apache.org/r1536324 >>>> Log: >>>> Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> >>>> https://issues.apache.org/jira/browse/OFBIZ-5254 >>>> >>>> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning >>>> message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or >>>> as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any". >>>> >>>> This >>>> * Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward >>>> compatibility, else we could completely remove the misleading "safe". Note that "none" is the default. >>>> * Replaces in services definition all allow-html="safe" by allow-html="any" >>>> * Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log >>>> >>>> Modified: >>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>>> ofbiz/trunk/applications/content/servicedef/services.xml >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml >>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>>> ofbiz/trunk/applications/order/servicedef/services.xml >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml >>>> ofbiz/trunk/applications/party/servicedef/services.xml >>>> ofbiz/trunk/applications/product/servicedef/services.xml >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>> ofbiz/trunk/framework/common/servicedef/services.xml >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml >>>> ofbiz/trunk/framework/service/dtd/services.xsd >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>>> >>>> Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml (original) +++ >>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the >>>> License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes include="pk" mode="OUT" optional="true"/> >>>> - <override name="textData" allow-html="safe"/> >>>> + <override name="textData" allow-html="any"/> >>>> </service> >>>> <service name="updateAgreement" default-entity-name="Agreement" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the License. >>>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="textData" allow-html="safe"/> >>>> + <override name="textData" allow-html="any"/> >>>> </service> >>>> <service name="cancelAgreement" default-entity-name="Agreement" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the License. >>>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="agreementText" allow-html="safe"/> >>>> + <override name="agreementText" allow-html="any"/> >>>> </service> >>>> <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the License. >>>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="agreementText" allow-html="safe"/> >>>> + <override name="agreementText" allow-html="any"/> >>>> </service> >>>> <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the License. >>>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="textValue" allow-html="safe"/> >>>> + <override name="textValue" allow-html="any"/> >>>> </service> >>>> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the License. >>>> <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> >>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="textValue" allow-html="safe"/> >>>> + <override name="textValue" allow-html="any"/> >>>> </service> >>>> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" >>>> invoke="deleteAgreementTerm" auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml (original) +++ >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the >>>> License. <override name="invoiceTypeId" mode="IN" optional="false"/> >>>> <override name="partyIdFrom" mode = "IN" optional="false"/> >>>> <override name="partyId" mode = "IN" optional="false"/> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="invoiceMessage" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="invoiceMessage" allow-html="any"/> >>>> </service> >>>> <service name="copyInvoice" engine="simple" default-entity-name="Invoice" >>>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> >>>> @@ -80,8 +80,8 @@ under the License. >>>> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >>>> <auto-attributes mode="IN" include="pk" optional="false"/> >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="invoiceMessage" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="invoiceMessage" allow-html="any"/> >>>> </service> >>>> <service name="setInvoiceStatus" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> >>>> @@ -117,7 +117,7 @@ under the License. >>>> <auto-attributes mode="IN" include="pk" optional="false"/> >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>> <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >>>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> >>>> @@ -125,7 +125,7 @@ under the License. >>>> <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> >>>> <auto-attributes mode="INOUT" include="pk" optional="false"/> >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" >>>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> >>>> @@ -276,7 +276,7 @@ under the License. >>>> <attribute name="sendTo" type="String" mode="IN" optional="false"/> >>>> <attribute name="sendCc" type="String" mode="IN" optional="true"/> >>>> <attribute name="subject" type="String" mode="IN" optional="true"/> >>>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="other" type="String" mode="IN" optional="true"/><!-- to send the invoice in the 'other' currency (y) >>>> --> </service> >>>> <service name="checkInvoicePaymentApplications" engine="java" >>>> @@ -412,7 +412,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <override name="contentId" optional="true"/> >>>> <override name="fromDate" optional="true"/> >>>> </service> >>>> @@ -422,7 +422,7 @@ under the License. >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> <service name="isInvoiceInForeignCurrency" engine="simple" >>>> location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" >>>> invoke="isInvoiceInForeignCurrency" auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/content/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/content/servicedef/services.xml (original) +++ >>>> ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -291,12 +291,12 @@ >>>> >>>> <service name="createSimpleTextContent" engine="simple" >>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="createSimpleTextContent"> >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" >>>> optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" >>>> allow-html="any"/> <override name="contentId" mode="INOUT"/> >>>> </service> >>>> <service name="updateSimpleTextContent" engine="simple" >>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="updateSimpleTextContent"> >>>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" >>>> mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" >>>> allow-html="any"/> </service> >>>> >>>> <!-- Util --> >>>> @@ -452,7 +452,7 @@ >>>> <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> >>>> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >>>> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >>>> - <override name="textData" allow-html="safe"/> >>>> + <override name="textData" allow-html="any"/> >>>> </service> >>>> >>>> <service name="persistDataResourceAndData" engine="java" >>>> @@ -1052,8 +1052,8 @@ >>>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>>> <attribute name="description" type="String" mode="IN" optional="true"/> >>>> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >>>> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> <service name="updateBlogEntry" engine="simple" auth="true" >>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="updateBlogEntry"> >>>> @@ -1065,8 +1065,8 @@ >>>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>>> <attribute name="description" type="String" mode="IN" optional="true"/> >>>> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> >>>> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> <service name="getBlogEntry" engine="simple" auth="true" >>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="getBlogEntry"> >>>> >>>> Modified: ofbiz/trunk/applications/content/servicedef/services_content.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_content.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml (original) +++ >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ >>>> <attribute name="fromDate" type="Timestamp" mode="IN" optional="true"/> >>>> <attribute name="sequenceNum" type="Long" mode="IN" optional="true"/> >>>> <override name="contentTypeId" default-value="DOCUMENT"/> >>>> - <override name="contentName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="contentName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> >>>> <service name="createTextAndUploadedContent" engine="simple" auth="true" >>>> @@ -131,8 +131,8 @@ >>>> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> >>>> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> >>>> <!-- end of depricated fields --> >>>> - <override name="contentName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="contentName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> >>>> <service name="updateTextContent" engine="group" auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/content/servicedef/services_data.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_data.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml (original) +++ >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ >>>> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >>>> <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> >>>> - <override name="objectInfo" allow-html="safe"/> >>>> - <override name="dataResourceName" allow-html="safe"/> >>>> + <override name="objectInfo" allow-html="any"/> >>>> + <override name="dataResourceName" allow-html="any"/> >>>> </service> >>>> <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" >>>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" >>>> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 +59,8 @@ >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>>> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> >>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> >>>> - <override name="objectInfo" allow-html="safe"/> >>>> - <override name="dataResourceName" allow-html="safe"/> >>>> + <override name="objectInfo" allow-html="any"/> >>>> + <override name="dataResourceName" allow-html="any"/> >>>> </service> >>>> <service name="removeDataResource" engine="simple" default-entity-name="DataResource" auth="true" >>>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="deleteDataResource"> >>>> @@ -90,7 +90,7 @@ >>>> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> >>>> + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> >>>> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >>>> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>>> @@ -100,7 +100,7 @@ >>>> <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> >>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> >>>> + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> >>>> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> >>>> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> >>>> @@ -115,7 +115,7 @@ >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> >>>> - <override name="textData" allow-html="safe"/> >>>> + <override name="textData" allow-html="any"/> >>>> </service> >>>> <service name="updateElectronicText" default-entity-name="ElectronicText" engine="simple" >>>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="updateElectronicText" >>>> auth="true"> @@ -124,7 +124,7 @@ >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is >>>> belonging to --> - <override name="textData" allow-html="safe"/> >>>> + <override name="textData" allow-html="any"/> >>>> </service> >>>> <service name="removeElectronicText" default-entity-name="ElectronicText" engine="simple" >>>> location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="removeElectronicText" >>>> auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml (original) +++ >>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the >>>> License. </auto-attributes> >>>> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >>>> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >>>> - <override name="opportunityName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="nextStep" allow-html="safe"/> >>>> + <override name="opportunityName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="nextStep" allow-html="any"/> >>>> </service> >>>> <service name="updateSalesOpportunity" engine="simple" default-entity-name="SalesOpportunity" >>>> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> >>>> @@ -89,9 +89,9 @@ under the License. >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> >>>> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> >>>> - <override name="opportunityName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="nextStep" allow-html="safe"/> >>>> + <override name="opportunityName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="nextStep" allow-html="any"/> >>>> </service> >>>> <service name="createSalesOpportunityRole" engine="simple" default-entity-name="SalesOpportunityRole" >>>> location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" >>>> invoke="createSalesOpportunityRole"> >>>> >>>> Modified: ofbiz/trunk/applications/order/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/order/servicedef/services.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services.xml >>>> Mon Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. >>>> location="org.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> >>>> <description>Create a note item and associate with a order header</description> >>>> <attribute name="orderId" type="String" mode="IN"/> >>>> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >>>> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >>>> <attribute name="internalNote" type="String" mode="IN"/> >>>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>>> </service> >>>> >>>> Modified: ofbiz/trunk/applications/order/servicedef/services_quote.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_quote.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml (original) +++ >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. >>>> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" invoke="createQuoteNote" auth="true"> >>>> <description>Create a note item and associate with a quote</description> >>>> <attribute name="quoteId" type="String" mode="IN"/> >>>> - <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> >>>> + <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> >>>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>>> </service> >>>> </services> >>>> >>>> Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml (original) +++ >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>>> - <override name="custRequestName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="story" allow-html="safe"/> >>>> + <override name="custRequestName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="story" allow-html="any"/> >>>> </service> >>>> <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" >>>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequest" >>>> auth="true"> @@ -52,10 +52,10 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <attribute name="oldStatusId" type="String" mode="OUT"/> >>>> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >>>> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>>> - <override name="custRequestName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="custRequestName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> >>>> <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" >>>> @@ -86,16 +86,16 @@ under the License. >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <override name="custRequestItemSeqId" optional="true"/> >>>> - <override name="story" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="story" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" >>>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestItem" >>>> auth="true"> <description>Update a CustRequestItem record</description> >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="story" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="story" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" >>>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="copyCustRequestItem" >>>> auth="true"> @@ -129,7 +129,7 @@ under the License. >>>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="createCustRequestNote" >>>> auth="true"> <description>Create a note for a CustRequest</description> >>>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>>> - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >>>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >>>> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>>> @@ -138,7 +138,7 @@ under the License. >>>> location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestNote" >>>> auth="true"> <description>Update CustRequest Note</description> >>>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>>> - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <attribute name="noteInfo" type="String" mode="IN" optional="true"/> >>>> </service> >>>> <service name="createCustRequestItemNote" engine="simple" >>>> @@ -146,7 +146,7 @@ under the License. >>>> <description>Create a note for a CustRequestItem</description> >>>> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> >>>> <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> >>>> - <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <attribute name="noteId" type="String" mode="OUT" optional="false"/> >>>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> >>>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> >>>> @@ -178,7 +178,7 @@ under the License. >>>> <description>Set the Customer Request Status</description> >>>> <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> >>>> <attribute name="statusId" type="String" mode="IN" optional="false"/> >>>> - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> >>>> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>>> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> >>>> @@ -192,9 +192,9 @@ under the License. >>>> <attribute name="custRequestId" mode="IN" type="String" optional="true"/> >>>> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> >>>> <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> >>>> - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> >>>> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> >>>> - <override name="content" allow-html="safe"/> >>>> + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> >>>> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> >>>> + <override name="content" allow-html="any"/> >>>> </service> >>>> >>>> <!-- custRequest content services --> >>>> >>>> Modified: ofbiz/trunk/applications/party/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/party/servicedef/services.xml (original) +++ ofbiz/trunk/applications/party/servicedef/services.xml >>>> Mon Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. >>>> <attribute name="externalId" type="String" mode="IN" optional="true"/> >>>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>>> <override name="groupName" optional="false"/> >>>> - <override name="comments" allow-html="safe"/> >>>> + <override name="comments" allow-html="any"/> >>>> </service> >>>> <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" >>>> location="org.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> >>>> @@ -133,7 +133,7 @@ under the License. >>>> <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> >>>> <attribute name="externalId" type="String" mode="IN" optional="true"/> >>>> <attribute name="statusId" type="String" mode="IN" optional="true"/> >>>> - <override name="comments" allow-html="safe"/> >>>> + <override name="comments" allow-html="any"/> >>>> </service> >>>> >>>> <service name="savePartyNameChange" engine="simple" >>>> @@ -379,7 +379,7 @@ under the License. >>>> <description>create a company/contact relationship and add the related roles</description> >>>> <attribute name="accountPartyId" type="String" mode="IN"/> >>>> <attribute name="contactPartyId" type="String" mode="IN"/> >>>> - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> >>>> <!-- ContactMech services --> >>>> @@ -768,9 +768,9 @@ under the License. >>>> <attribute name="custRequestId" type="String" mode="IN" optional="true"/> >>>> <attribute name="action" type="String" mode="IN" optional="true"/><!-- to indicate any special action like: REPLY, >>>> REPLYALL, FORWARD or empty for no special action--> <override name="headerString" allow-html="any"/> >>>> - <override name="content" allow-html="safe"/> >>>> - <override name="messageId" allow-html="safe"/> >>>> - <override name="subject" allow-html="safe"/> >>>> + <override name="content" allow-html="any"/> >>>> + <override name="messageId" allow-html="any"/> >>>> + <override name="subject" allow-html="any"/> >>>> </service> >>>> <service name="createCommunicationEvent" engine="simple" >>>> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >>>> invoke="createCommunicationEventWithPermission" auth="true"> @@ -792,9 +792,9 @@ under the License. >>>> <auto-attributes entity-name="CommunicationEvent" include="nonpk" mode="IN" optional="true"/> >>>> <attribute name="contactMechPurposeTypeIdFrom" type="String" mode="IN" optional="true"><description>Set a specific >>>> purpose for the originator email</description></attribute> <attribute name="oldStatusId" type="String" mode="OUT" >>>> optional="true"/> >>>> - <override name="messageId" allow-html="safe"/> >>>> - <override name="content" allow-html="safe"/> >>>> - <override name="subject" allow-html="safe"/> >>>> + <override name="messageId" allow-html="any"/> >>>> + <override name="content" allow-html="any"/> >>>> + <override name="subject" allow-html="any"/> >>>> </service> >>>> <service name="deleteCommunicationEvent" engine="simple" >>>> location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" >>>> invoke="deleteCommunicationEvent" auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/product/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/product/servicedef/services.xml (original) +++ >>>> ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. >>>> <exclude field-name="lastModifiedDate"/> >>>> <exclude field-name="lastModifiedByUserLogin"/> >>>> </auto-attributes> >>>> - <override name="description" allow-html="safe"/> >>>> - <override name="longDescription" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> + <override name="longDescription" allow-html="any"/> >>>> </service> >>>> <service name="createProduct" default-entity-name="Product" engine="simple" >>>> location="component://product/script/org/ofbiz/product/product/ProductServices.xml" invoke="createProduct" >>>> auth="true"> @@ -70,8 +70,8 @@ under the License. >>>> <attribute name="oldProductId" type="String" mode="IN" optional="false"/> >>>> <attribute name="newInternalName" type="String" mode="IN" optional="true"/> >>>> <attribute name="newProductName" type="String" mode="IN" optional="true"/> >>>> - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> >>>> + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> >>>> <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> >>>> <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> >>>> @@ -392,7 +392,7 @@ under the License. >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> <attribute name="subject" type="String" mode="IN" optional="false"/> >>>> <attribute name="plainBody" type="String" mode="IN" optional="false"/> >>>> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <override name="contentId" optional="true" mode="INOUT"/> >>>> </service> >>>> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" >>>> @@ -405,7 +405,7 @@ under the License. >>>> <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> >>>> <attribute name="plainBody" type="String" mode="IN" optional="true"/> >>>> <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" >>>> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >>>> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 +431,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <override name="contentId" optional="true"/> >>>> <override name="fromDate" optional="true"/> >>>> </service> >>>> @@ -441,13 +441,13 @@ under the License. >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> >>>> <service name="createSimpleTextContentForAlternateLocale" engine="simple" >>>> location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" >>>> invoke="createSimpleTextContentForAlternateLocale"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> <attribute name="mainContentId" type="String" mode="IN" optional="false"/> - <attribute name="text" type="String" >>>> mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" >>>> allow-html="any"/> <override name="localeString" optional="false"/> >>>> <override name="contentId" mode="INOUT"/> >>>> </service> >>>> @@ -967,7 +967,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <override name="contentId" optional="true"/> >>>> <override name="fromDate" optional="true"/> >>>> </service> >>>> @@ -977,7 +977,7 @@ under the License. >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> >>>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> >>>> <service name="updateContentSEOForCategory" engine="simple" >>>> @@ -1201,7 +1201,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> >>>> <override name="contentId" optional="true"/> >>>> </service> >>>> <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" >>>> @@ -1210,7 +1210,7 @@ under the License. >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> >>>> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> >>>> </service> >>>> <service name="getProductFeaturesByType" engine="java" >>>> location="org.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> >>>> >>>> Modified: ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml (original) +++ >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the >>>> License. <exclude field-name="lastModifiedByUserLogin"/> >>>> </auto-attributes> >>>> <override name="promoName" optional="false"/> >>>> - <override name="promoText" allow-html="safe"/> >>>> + <override name="promoText" allow-html="any"/> >>>> </service> >>>> <service name="updateProductPromo" default-entity-name="ProductPromo" engine="simple" >>>> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="updateProductPromo" >>>> auth="true"> @@ -150,7 +150,7 @@ under the License. >>>> <exclude field-name="lastModifiedDate"/> >>>> <exclude field-name="lastModifiedByUserLogin"/> >>>> </auto-attributes> >>>> - <override name="promoText" allow-html="safe"/> >>>> + <override name="promoText" allow-html="any"/> >>>> </service> >>>> <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="simple" >>>> location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="deleteProductPromo" >>>> auth="true"> >>>> >>>> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml (original) +++ >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. >>>> <exclude field-name="lastModifiedDate"/> >>>> <exclude field-name="lastModifiedByUserLogin"/> >>>> </auto-attributes> >>>> - <override name="workEffortName" allow-html="safe"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="workEffortName" allow-html="any"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" >>>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>>> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. >>>> <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> >>>> <override name="workEffortTypeId" optional="false"/> >>>> - <override name="workEffortName" optional="false" allow-html="safe"/> >>>> + <override name="workEffortName" optional="false" allow-html="any"/> >>>> <override name="currentStatusId" optional="false"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" >>>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>>> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false" entity-name="CustRequestWorkEffort"/> >>>> <auto-attributes include="all" mode="IN" optional="true" entity-name="CustRequest"/> >>>> <override name="custRequestId" optional="true" mode="INOUT"/> >>>> - <override name="description" allow-html="safe"/> >>>> + <override name="description" allow-html="any"/> >>>> </service> >>>> <service name="deleteWorkEffortRequest" engine="simple" >>>> location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" >>>> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a CustRequestWorkEffort</description> >>>> >>>> Modified: ofbiz/trunk/framework/common/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ ofbiz/trunk/framework/common/servicedef/services.xml Mon >>>> Oct 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. >>>> <description>Create a new note record</description> >>>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >>>> <attribute name="noteName" type="String" mode="IN" optional="true"/> >>>> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> >>>> + <attribute name="note" type="String" mode="IN" allow-html="any"/> >>>> <attribute name="noteId" type="String" mode="OUT"/> >>>> </service> >>>> >>>> @@ -72,7 +72,7 @@ under the License. >>>> <description>Update a note record</description> >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> - <override name="noteInfo" allow-html="safe"/> >>>> + <override name="noteInfo" allow-html="any"/> >>>> </service> >>>> >>>> <service name="adjustDebugLevels" engine="java" >>>> @@ -109,7 +109,7 @@ under the License. >>>> <auto-attributes include="pk" mode="OUT" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <override name="enumTypeId" optional="false"/> >>>> - <override name="description" optional="false" allow-html="safe"/> >>>> + <override name="description" optional="false" allow-html="any"/> >>>> </service> >>>> <service name="updateEnumeration" default-entity-name="Enumeration" engine="simple" >>>> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" invoke="updateEnumeration" auth="true"> >>>> @@ -118,7 +118,7 @@ under the License. >>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>> <override name="enumTypeId" optional="false"/> >>>> - <override name="description" optional="false" allow-html="safe"/> >>>> + <override name="description" optional="false" allow-html="any"/> >>>> </service> >>>> <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> >>>> <description>Delete a Enumeration</description> >>>> >>>> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml (original) +++ >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. >>>> <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> >>>> <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> >>>> <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> >>>> - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> >>>> + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> >>>> <attribute name="contentType" type="String" mode="INOUT" optional="true"/> >>>> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> >>>> <attribute name="messageId" type="String" mode="INOUT" optional="true"/> >>>> @@ -56,7 +56,7 @@ under the License. >>>> <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> >>>> <description>Interface service for sendMail* services.</description> >>>> <implements service="sendMailInterface"/> >>>> - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="safe"/> >>>> + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> >>>> <override name="contentType" mode="INOUT"/> >>>> <override name="subject" mode="INOUT" optional="false"/> >>>> <override name="emailType" type="String" mode="INOUT" optional="true"/> >>>> @@ -98,12 +98,12 @@ under the License. >>>> <implements service="sendMailInterface"/> >>>> <attribute name="bodyUrl" type="String" mode="IN" optional="false"/> >>>> <attribute name="bodyUrlParameters" type="Map" mode="IN" optional="true"/> >>>> - <attribute name="body" type="String" mode="OUT" optional="false" allow-html="safe"/> >>>> + <attribute name="body" type="String" mode="OUT" optional="false" allow-html="any"/> >>>> </service> >>>> <service name="sendMailFromScreenInterface" engine="interface" location="" invoke=""> >>>> <description>Interface service for E-Mail sent From Screen Widget</description> >>>> <implements service="sendMailInterface"/> >>>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="bodyScreenUri" type="String" mode="IN" optional="true"/> >>>> <attribute name="xslfoAttachScreenLocation" type="String" mode="IN" optional="true"/> >>>> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >>>> @@ -132,7 +132,7 @@ under the License. >>>> <implements service="sendMailInterface"/> >>>> <attribute name="emailTemplateSettingId" type="String" mode="IN" optional="false"/> >>>> <attribute name="partyIdTo" type="String" mode="IN" optional="true"/> >>>> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> >>>> <attribute name="bodyParameters" type="Map" mode="IN" optional="true"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>>> @@ -143,8 +143,8 @@ under the License. >>>> location="" invoke=""> >>>> <description>Send Template Based Notification Service</description> >>>> <implements service="sendMailInterface"/> >>>> - <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="safe"/> >>>> - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> >>>> + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="templateName" type="String" mode="IN" optional="false"/> >>>> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>>> @@ -153,7 +153,7 @@ under the License. >>>> location="" invoke=""> >>>> <description>Send Template Based Notification Service</description> >>>> <implements service="prepareNotificationInterface"/> >>>> - <attribute name="body" type="String" mode="IN" optional="true" allow-html="safe"/> >>>> + <attribute name="body" type="String" mode="IN" optional="true" allow-html="any"/> >>>> <attribute name="templateName" type="String" mode="IN" optional="false"/> >>>> <attribute name="templateData" type="Map" mode="IN" optional="true"/> >>>> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> >>>> >>>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd >>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== >>>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) >>>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 12:12:43 2013 >>>> @@ -106,6 +106,7 @@ under the License. >>>> If set to true and there is a transaction already in place the Service Engine will suspend that transaction, >>>> begin a new one just for this service, commit or rollback the local transaction when the service is >>>> complete, and will resume the original transaction. If set to true and there is no transaction already in >>>> place it will just begin a transaction and manage it as would be done for a normal user-transaction=true. If >>>> use-transaction=false this setting is ignored. + Beware: using require-new-transaction=true >>>> in a service called (maybe not directly) by a pre-invoke or earlier event ( preprocessor, firstvisit and so on) is >>>> not yet supported. </xs:documentation> </xs:annotation> <xs:simpleType> >>>> @@ -348,11 +349,18 @@ under the License. >>>> </xs:simpleType> >>>> </xs:attribute> >>>> <xs:attribute name="allow-html" use="optional" default="none"> >>>> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" >>>> element.</xs:documentation></xs:annotation> + <xs:annotation> >>>> + <xs:documentation> >>>> + Applies only to String fields. >>>> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >>>> validating input from users, other systems, etc). + Defaults to "none" meaning no HTML is allowed (will >>>> result in an error message). + If some HTML is desired then use "any". >>>> + There was previously "safe" but it's deprecated >>>> + </xs:documentation> >>>> + </xs:annotation> >>>> <xs:simpleType> >>>> <xs:restriction base="xs:token"> >>>> <xs:enumeration value="any"/> >>>> - <xs:enumeration value="safe"/> >>>> <xs:enumeration value="none"/> >>>> </xs:restriction> >>>> </xs:simpleType> >>>> @@ -424,13 +432,12 @@ under the License. >>>> Applies only to String fields. >>>> Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating >>>> input from users, other systems, etc). Defaults to "none" meaning no HTML is allowed (will result in an error >>>> message). >>>> - If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This >>>> should be safe for both internal and public users. >>>> - In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check >>>> the HTML content at all. + If some HTML is desired then use "any". >>>> + There was previously "safe" but it's deprecated >>>> </xs:documentation></xs:annotation> >>>> <xs:simpleType> >>>> <xs:restriction base="xs:token"> >>>> <xs:enumeration value="any"/> >>>> - <xs:enumeration value="safe"/> >>>> <xs:enumeration value="none"/> >>>> </xs:restriction> >>>> </xs:simpleType> >>>> @@ -477,11 +484,18 @@ under the License. >>>> </xs:simpleType> >>>> </xs:attribute> >>>> <xs:attribute name="allow-html" use="optional"> >>>> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. >>>> Note that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> + <xs:annotation> >>>> + <xs:documentation> >>>> + Applies only to String fields. >>>> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for >>>> validating input from users, other systems, etc). + There is no default, "none" means no HTML is allowed >>>> (will result in an error message). + If some HTML is desired then use "any". >>>> + There was previously "safe" but it's deprecated >>>> + </xs:documentation> >>>> + </xs:annotation> >>>> <xs:simpleType> >>>> <xs:restriction base="xs:token"> >>>> <xs:enumeration value="any"/> >>>> - <xs:enumeration value="safe"/> >>>> <xs:enumeration value="none"/> >>>> </xs:restriction> >>>> </xs:simpleType> >>>> >>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) +++ >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public >>>> class ModelService extends Abstra // required and type validation complete, do allow-html validation >>>> if ("IN".equals(mode)) { >>>> List<String> errorMessageList = FastList.newInstance(); >>>> - for (ModelParam modelParam: this.contextInfo.values()) { >>>> - if (context.get(modelParam.name) != null && >>>> - ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && >>>> - !"any".equals(modelParam.allowHtml) && >>>> - ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { >>>> - // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input >>>> parameter validation + for (ModelParam modelParam : this.contextInfo.values()) { >>>> + // the param is a String, allow-html is not any, and we are looking at an IN parameter during input parameter >>>> validation + if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || >>>> "java.lang.String".equals(modelParam.type)) + && !"any".equals(modelParam.allowHtml) && >>>> ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { String value = (String) >>>> context.get(modelParam.name); >>>> - if ("none".equals(modelParam.allowHtml)) { >>>> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >>>> - } else if ("safe".equals(modelParam.allowHtml)) { >>>> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); >>>> - } >>>> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); >>>> } >>>> } >>>> if (errorMessageList.size() > 0) { >>>> >>>> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>> ============================================================================== --- >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml (original) +++ >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. >>>> <attribute name="itemId" mode="IN" type="String" optional="false"/> >>>> <attribute name="listingType" mode="IN" type="String" optional="true"/> >>>> <attribute name="title" mode="IN" type="String" optional="true"/> >>>> - <attribute name="description" mode="IN" type="String" allow-html="safe"/> >>>> + <attribute name="description" mode="IN" type="String" allow-html="any"/> >>>> <attribute name="price" mode="IN" type="String" optional="true"/> >>>> <attribute name="currencyId" mode="IN" type="String" optional="true"/> >>>> <attribute mode="IN" name="imageData" optional="true" type="java.nio.ByteBuffer"/> |
I am resurrecting this old thread, because I think that Scott's remarks and
concerns to Jacques' commit were valid and the response of Jacques was not satisfactory: in fact the two tickets Jacques mentioned have been resolved but the issues that Scott identified in Jacques' commit are still there. We should consider reverting the commit but my post for now is as a reminder and to restart the conversation. Jacopo On Sat, Dec 28, 2013 at 12:54 AM, Jacques Le Roux < [hidden email]> wrote: > That's why https://issues.apache.org/jira/browse/OFBIZ-5254 is not > closed, just resolved as incomplete. In other word it's a temporary > unsatisfying solution. > The idea is to continue https://issues.apache.org/jira/browse/OFBIZ-5343 > All good wills are welcome > > Jacques > > On Friday, December 27, 2013 11:20 PM [hidden email] wrote > > "safe" should not have been deprecated. The input should have just been > cleansed as an interim measure until a better solution > > could be found. > > > > Regards > > Scott > > > > On 27/12/2013, at 9:37 PM, Jacques Le Roux wrote: > > > >> I agree, it's in my long TODO list... > >> > >> Jacques > >> > >> On Friday, December 27, 2013 8:43 PM [hidden email] wrote > >>> This is not a fix, the problem was that "safe" wasn't filtering unsafe > html or returning an error. Taking all "safe" input > >>> parameters and making them "any" because "safe" wasn't working as > intended is a bit silly to say the least. > >>> > >>> Regards > >>> Scott > >>> > >>> On 28/10/2013, at 12:12 PM, [hidden email] wrote: > >>> > >>>> Author: jleroux > >>>> Date: Mon Oct 28 12:12:43 2013 > >>>> New Revision: 1536324 > >>>> > >>>> URL: http://svn.apache.org/r1536324 > >>>> Log: > >>>> Fixes <<Services allow arbitrary HTML for parameters with allow-html > set to "safe">> > >>>> https://issues.apache.org/jira/browse/OFBIZ-5254 > >>>> > >>>> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the > same: they do nothing! The only difference is the warning > >>>> message from the OWASP Antisamy IntrusionDetector, which is both, as > Christoph noted "giving you a false sense of security" or > >>>> as I wrote "disturbing, wrong and useless". So there are no longer > any reasons for differencing "safe" and "any". > >>>> > >>>> This > >>>> * Deprecates "safe" (making it clear in the XSD documentation), > keeping only "none" and "any". This is for backward > >>>> compatibility, else we could completely remove the misleading "safe". > Note that "none" is the default. > >>>> * Replaces in services definition all allow-html="safe" by > allow-html="any" > >>>> * Remove from ModelService.java (near line 587) the code which throws > the OWASP Antisamy IntrusionDetector message in log > >>>> > >>>> Modified: > >>>> ofbiz/trunk/applications/accounting/servicedef/ > services_agreement.xml > >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml > >>>> ofbiz/trunk/applications/content/servicedef/services.xml > >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml > >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml > >>>> ofbiz/trunk/applications/marketing/servicedef/services_ > opportunity.xml > >>>> ofbiz/trunk/applications/order/servicedef/services.xml > >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml > >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml > >>>> ofbiz/trunk/applications/party/servicedef/services.xml > >>>> ofbiz/trunk/applications/product/servicedef/services.xml > >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml > >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml > >>>> ofbiz/trunk/framework/common/servicedef/services.xml > >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml > >>>> ofbiz/trunk/framework/service/dtd/services.xsd > >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ > ModelService.java > >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml > >>>> > >>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ > services_agreement.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > accounting/servicedef/services_agreement.xml?rev= > 1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml > (original) +++ > >>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml > Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the > >>>> License. <permission-service service-name="acctgAgreementPermissionCheck" > main-action="CREATE"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes include="pk" mode="OUT" optional="true"/> > >>>> - <override name="textData" allow-html="safe"/> > >>>> + <override name="textData" allow-html="any"/> > >>>> </service> > >>>> <service name="updateAgreement" default-entity-name="Agreement" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the > License. > >>>> <permission-service service-name="acctgAgreementPermissionCheck" > main-action="UPDATE"/> > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="textData" allow-html="safe"/> > >>>> + <override name="textData" allow-html="any"/> > >>>> </service> > >>>> <service name="cancelAgreement" default-entity-name="Agreement" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the > License. > >>>> <permission-service service-name="acctgAgreementPermissionCheck" > main-action="CREATE"/> > >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="agreementText" allow-html="safe"/> > >>>> + <override name="agreementText" allow-html="any"/> > >>>> </service> > >>>> <service name="updateAgreementItem" default-entity-name="AgreementItem" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the > License. > >>>> <permission-service service-name="acctgAgreementPermissionCheck" > main-action="UPDATE"/> > >>>> <auto-attributes include="pk" mode="IN" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="agreementText" allow-html="safe"/> > >>>> + <override name="agreementText" allow-html="any"/> > >>>> </service> > >>>> <service name="removeAgreementItem" default-entity-name="AgreementItem" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the > License. > >>>> <permission-service service-name="acctgAgreementPermissionCheck" > main-action="CREATE"/> > >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="textValue" allow-html="safe"/> > >>>> + <override name="textValue" allow-html="any"/> > >>>> </service> > >>>> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the > License. > >>>> <permission-service service-name="acctgAgreementPermissionCheck" > main-action="UPDATE"/> > >>>> <auto-attributes include="pk" mode="IN" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="textValue" allow-html="safe"/> > >>>> + <override name="textValue" allow-html="any"/> > >>>> </service> > >>>> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" > engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/agreement/AgreementServices.xml" > >>>> invoke="deleteAgreementTerm" auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ > services_invoice.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > accounting/servicedef/services_invoice.xml?rev= > 1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml > (original) +++ > >>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml > Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the > >>>> License. <override name="invoiceTypeId" mode="IN" > optional="false"/> > >>>> <override name="partyIdFrom" mode = "IN" optional="false"/> > >>>> <override name="partyId" mode = "IN" optional="false"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="invoiceMessage" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="invoiceMessage" allow-html="any"/> > >>>> </service> > >>>> <service name="copyInvoice" engine="simple" > default-entity-name="Invoice" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> > >>>> @@ -80,8 +80,8 @@ under the License. > >>>> <permission-service service-name="acctgInvoicePermissionCheck" > main-action="UPDATE"/> > >>>> <auto-attributes mode="IN" include="pk" optional="false"/> > >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="invoiceMessage" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="invoiceMessage" allow-html="any"/> > >>>> </service> > >>>> <service name="setInvoiceStatus" engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> > >>>> @@ -117,7 +117,7 @@ under the License. > >>>> <auto-attributes mode="IN" include="pk" optional="false"/> > >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> > >>>> <override name="invoiceItemSeqId" mode="INOUT" > optional="true"/><!-- will optionally be assigned by the system --> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="updateInvoiceItem" engine="simple" > default-entity-name="InvoiceItem" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> > >>>> @@ -125,7 +125,7 @@ under the License. > >>>> <permission-service service-name="acctgInvoicePermissionCheck" > main-action="UPDATE"/> > >>>> <auto-attributes mode="INOUT" include="pk" optional="false"/> > >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="removeInvoiceItem" engine="simple" > default-entity-name="InvoiceItem" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> > >>>> @@ -276,7 +276,7 @@ under the License. > >>>> <attribute name="sendTo" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="sendCc" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="subject" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="other" type="String" mode="IN" > optional="true"/><!-- to send the invoice in the 'other' currency (y) > >>>> --> </service> > >>>> <service name="checkInvoicePaymentApplications" engine="java" > >>>> @@ -412,7 +412,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes entity-name="Content" include="nonpk" > mode="IN" optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <override name="contentId" optional="true"/> > >>>> <override name="fromDate" optional="true"/> > >>>> </service> > >>>> @@ -422,7 +422,7 @@ under the License. > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes mode="IN" entity-name="Content" > optional="true"/> > >>>> <attribute name="textDataResourceId" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> <service name="isInvoiceInForeignCurrency" engine="simple" > >>>> location="component://accounting/script/org/ofbiz/ > accounting/invoice/InvoiceServices.xml" > >>>> invoke="isInvoiceInForeignCurrency" auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/content/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > content/servicedef/services.xml?rev=1536324&r1=1536323&r2= > 1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/content/servicedef/services.xml (original) > +++ > >>>> ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 > 12:12:43 2013 @@ -291,12 +291,12 @@ > >>>> > >>>> <service name="createSimpleTextContent" engine="simple" > >>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" > invoke="createSimpleTextContent"> > >>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - > <attribute name="text" type="String" mode="IN" > >>>> optional="false" allow-html="safe"/> + <attribute name="text" > type="String" mode="IN" optional="false" > >>>> allow-html="any"/> <override name="contentId" mode="INOUT"/> > >>>> </service> > >>>> <service name="updateSimpleTextContent" engine="simple" > >>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" > invoke="updateSimpleTextContent"> > >>>> <attribute name="textDataResourceId" type="String" mode="IN" > optional="true"/> - <attribute name="text" type="String" > >>>> mode="IN" optional="true" allow-html="safe"/> + <attribute > name="text" type="String" mode="IN" optional="true" > >>>> allow-html="any"/> </service> > >>>> > >>>> <!-- Util --> > >>>> @@ -452,7 +452,7 @@ > >>>> <attribute mode="IN" name="forceElectronicText" > optional="true" type="String"/> > >>>> <attribute mode="IN" name="displayFailCond" optional="true" > type="Boolean"/> > >>>> <attribute mode="INOUT" name="roleTypeList" optional="true" > type="List"/> > >>>> - <override name="textData" allow-html="safe"/> > >>>> + <override name="textData" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="persistDataResourceAndData" engine="java" > >>>> @@ -1052,8 +1052,8 @@ > >>>> <attribute name="statusId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="description" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="templateDataResourceId" type="String" > mode="IN" optional="true"/> > >>>> - <attribute name="articleData" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> - <attribute name="summaryData" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="articleData" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> + <attribute name="summaryData" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> <service name="updateBlogEntry" engine="simple" auth="true" > >>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" > invoke="updateBlogEntry"> > >>>> @@ -1065,8 +1065,8 @@ > >>>> <attribute name="statusId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="description" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="templateDataResourceId" type="String" > mode="IN" optional="true"/> > >>>> - <attribute name="articleData" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> - <attribute name="summaryData" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="articleData" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> + <attribute name="summaryData" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> <service name="getBlogEntry" engine="simple" auth="true" > >>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" > invoke="getBlogEntry"> > >>>> > >>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ > content.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > content/servicedef/services_content.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml > (original) +++ > >>>> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon > Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ > >>>> <attribute name="fromDate" type="Timestamp" mode="IN" > optional="true"/> > >>>> <attribute name="sequenceNum" type="Long" mode="IN" > optional="true"/> > >>>> <override name="contentTypeId" default-value="DOCUMENT"/> > >>>> - <override name="contentName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="contentName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="createTextAndUploadedContent" engine="simple" > auth="true" > >>>> @@ -131,8 +131,8 @@ > >>>> <attribute mode="IN" name="displayFailCond" optional="true" > type="Boolean"/> > >>>> <attribute mode="INOUT" name="roleTypeList" optional="true" > type="List"/> > >>>> <!-- end of depricated fields --> > >>>> - <override name="contentName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="contentName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="updateTextContent" engine="group" auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ > data.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > content/servicedef/services_data.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml > (original) +++ > >>>> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon > Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ > >>>> <attribute name="dataResourceId" type="String" mode="OUT" > optional="false"/> > >>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" > mode="OUT" optional="true"/> > >>>> <attribute name="uploadedFile" type="java.nio.ByteBuffer" > mode="IN" optional="true"/> > >>>> - <override name="objectInfo" allow-html="safe"/> > >>>> - <override name="dataResourceName" allow-html="safe"/> > >>>> + <override name="objectInfo" allow-html="any"/> > >>>> + <override name="dataResourceName" allow-html="any"/> > >>>> </service> > >>>> <service name="createDataResourceAndAssocToContent" > default-entity-name="DataResource" engine="simple" > >>>> location="component://content/ > script/org/ofbiz/content/data/DataServices.xml" > >>>> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 > +59,8 @@ > >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="dataResourceId" type="String" mode="OUT" > optional="false"/> > >>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" > mode="OUT" optional="true"/> > >>>> - <override name="objectInfo" allow-html="safe"/> > >>>> - <override name="dataResourceName" allow-html="safe"/> > >>>> + <override name="objectInfo" allow-html="any"/> > >>>> + <override name="dataResourceName" allow-html="any"/> > >>>> </service> > >>>> <service name="removeDataResource" engine="simple" > default-entity-name="DataResource" auth="true" > >>>> location="component://content/ > script/org/ofbiz/content/data/DataServices.xml" > invoke="deleteDataResource"> > >>>> @@ -90,7 +90,7 @@ > >>>> <description>Create a DataResource and, possibly, > ElectronicText or ImageDataResource</description> > >>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <attribute name="textData" mode="IN" optional="true" > type="String" allow-html="safe"/> > >>>> + <attribute name="textData" mode="IN" optional="true" > type="String" allow-html="any"/> > >>>> <attribute name="targetOperationList" type="List" mode="IN" > optional="true"/> > >>>> <attribute name="contentPurposeList" type="List" mode="IN" > optional="true"/> > >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" > optional="true"/> > >>>> @@ -100,7 +100,7 @@ > >>>> <description>Create a DataResource and, possibly, > ElectronicText or ImageDataResource</description> > >>>> <auto-attributes include="pk" mode="IN" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <attribute name="textData" mode="IN" type="String" > optional="true" allow-html="safe"/> > >>>> + <attribute name="textData" mode="IN" type="String" > optional="true" allow-html="any"/> > >>>> <attribute name="targetOperationList" type="List" mode="IN" > optional="true"/> > >>>> <attribute name="contentPurposeList" type="List" mode="IN" > optional="true"/> > >>>> <attribute name="skipPermissionCheck" type="String" mode="IN" > optional="true"/> > >>>> @@ -115,7 +115,7 @@ > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <override name="dataResourceTypeId" default-value="ELECTRONIC_ > TEXT"/> > >>>> - <override name="textData" allow-html="safe"/> > >>>> + <override name="textData" allow-html="any"/> > >>>> </service> > >>>> <service name="updateElectronicText" default-entity-name="ElectronicText" > engine="simple" > >>>> location="component://content/ > script/org/ofbiz/content/data/DataServices.xml" > invoke="updateElectronicText" > >>>> auth="true"> @@ -124,7 +124,7 @@ > >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <attribute name="contentId" mode="INOUT" optional="true" > type="String"/><!-- to optionaly know where this text is > >>>> belonging to --> - <override name="textData" > allow-html="safe"/> > >>>> + <override name="textData" allow-html="any"/> > >>>> </service> > >>>> <service name="removeElectronicText" default-entity-name="ElectronicText" > engine="simple" > >>>> location="component://content/ > script/org/ofbiz/content/data/DataServices.xml" > invoke="removeElectronicText" > >>>> auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/marketing/servicedef/services_ > opportunity.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > marketing/servicedef/services_opportunity.xml?rev=1536324& > r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml > (original) +++ > >>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml > Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the > >>>> License. </auto-attributes> > >>>> <attribute name="accountPartyId" mode="IN" type="String" > optional="true"/> > >>>> <attribute name="leadPartyId" mode="IN" type="String" > optional="true"/> > >>>> - <override name="opportunityName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="nextStep" allow-html="safe"/> > >>>> + <override name="opportunityName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="nextStep" allow-html="any"/> > >>>> </service> > >>>> <service name="updateSalesOpportunity" engine="simple" > default-entity-name="SalesOpportunity" > >>>> location="component://order/script/org/ofbiz/order/ > opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> > >>>> @@ -89,9 +89,9 @@ under the License. > >>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> > >>>> <attribute name="accountPartyId" mode="IN" type="String" > optional="true"/> > >>>> <attribute name="leadPartyId" mode="IN" type="String" > optional="true"/> > >>>> - <override name="opportunityName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="nextStep" allow-html="safe"/> > >>>> + <override name="opportunityName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="nextStep" allow-html="any"/> > >>>> </service> > >>>> <service name="createSalesOpportunityRole" engine="simple" > default-entity-name="SalesOpportunityRole" > >>>> location="component://order/script/org/ofbiz/order/ > opportunity/OpportunityServices.xml" > >>>> invoke="createSalesOpportunityRole"> > >>>> > >>>> Modified: ofbiz/trunk/applications/order/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/order/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/order/servicedef/services.xml > >>>> Mon Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. > >>>> location="org.ofbiz.order.order.OrderServices" > invoke="createOrderNote" auth="true"> > >>>> <description>Create a note item and associate with a order > header</description> > >>>> <attribute name="orderId" type="String" mode="IN"/> > >>>> - <attribute name="note" type="String" mode="IN" > allow-html="safe"/> > >>>> + <attribute name="note" type="String" mode="IN" > allow-html="any"/> > >>>> <attribute name="internalNote" type="String" mode="IN"/> > >>>> <attribute name="noteName" type="String" mode="IN" > optional="true"/> > >>>> </service> > >>>> > >>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ > quote.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > order/servicedef/services_quote.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml > (original) +++ > >>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct > 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. > >>>> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" > invoke="createQuoteNote" auth="true"> > >>>> <description>Create a note item and associate with a > quote</description> > >>>> <attribute name="quoteId" type="String" mode="IN"/> > >>>> - <attribute name="noteInfo" type="String" mode="IN" > allow-html="safe"/> > >>>> + <attribute name="noteInfo" type="String" mode="IN" > allow-html="any"/> > >>>> <attribute name="noteName" type="String" mode="IN" > optional="true"/> > >>>> </service> > >>>> </services> > >>>> > >>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ > request.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > order/servicedef/services_request.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml > (original) +++ > >>>> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon > Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes include="all" mode="IN" > entity-name="CustRequestItem" optional="true"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/><!-- for notification services --> > >>>> - <override name="custRequestName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="story" allow-html="safe"/> > >>>> + <override name="custRequestName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="story" allow-html="any"/> > >>>> </service> > >>>> <service name="updateCustRequest" engine="simple" > default-entity-name="CustRequest" > >>>> location="component://order/script/org/ofbiz/order/ > request/CustRequestServices.xml" invoke="updateCustRequest" > >>>> auth="true"> @@ -52,10 +52,10 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <attribute name="oldStatusId" type="String" mode="OUT"/> > >>>> - <attribute name="story" mode="IN" type="String" > optional="true" allow-html="safe"/> > >>>> + <attribute name="story" mode="IN" type="String" > optional="true" allow-html="any"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/><!-- for notification services --> > >>>> - <override name="custRequestName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="custRequestName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="deleteCustRequest" engine="simple" > default-entity-name="CustRequest" > >>>> @@ -86,16 +86,16 @@ under the License. > >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <override name="custRequestItemSeqId" optional="true"/> > >>>> - <override name="story" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="story" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="updateCustRequestItem" engine="simple" > default-entity-name="CustRequestItem" > >>>> location="component://order/script/org/ofbiz/order/ > request/CustRequestServices.xml" invoke="updateCustRequestItem" > >>>> auth="true"> <description>Update a CustRequestItem > record</description> > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="story" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="story" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" > engine="simple" > >>>> location="component://order/script/org/ofbiz/order/ > request/CustRequestServices.xml" invoke="copyCustRequestItem" > >>>> auth="true"> @@ -129,7 +129,7 @@ under the License. > >>>> location="component://order/script/org/ofbiz/order/ > request/CustRequestServices.xml" invoke="createCustRequestNote" > >>>> auth="true"> <description>Create a note for a > CustRequest</description> > >>>> <attribute name="custRequestId" type="String" mode="IN" > optional="false"/> > >>>> - <attribute name="noteInfo" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="noteInfo" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <attribute name="noteId" type="String" mode="OUT" > optional="false"/> > >>>> <attribute name="fromPartyId" type="String" mode="OUT" > optional="true"/><!-- party to be notified --> > >>>> <attribute name="custRequestName" type="String" mode="OUT" > optional="true"/><!-- for notification services --> > >>>> @@ -138,7 +138,7 @@ under the License. > >>>> location="component://order/script/org/ofbiz/order/ > request/CustRequestServices.xml" invoke="updateCustRequestNote" > >>>> auth="true"> <description>Update CustRequest Note</description> > >>>> <attribute name="custRequestId" type="String" mode="IN" > optional="false"/> > >>>> - <attribute name="noteId" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="noteId" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <attribute name="noteInfo" type="String" mode="IN" > optional="true"/> > >>>> </service> > >>>> <service name="createCustRequestItemNote" engine="simple" > >>>> @@ -146,7 +146,7 @@ under the License. > >>>> <description>Create a note for a CustRequestItem</description> > >>>> <attribute name="custRequestId" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="custRequestItemSeqId" type="String" mode="IN" > optional="false"/> > >>>> - <attribute name="note" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="note" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <attribute name="noteId" type="String" mode="OUT" > optional="false"/> > >>>> <attribute name="partyId" type="String" mode="INOUT" > optional="true"/><!-- party who created the note --> > >>>> <attribute name="fromPartyId" type="String" mode="OUT" > optional="true"/><!-- party to be notified --> > >>>> @@ -178,7 +178,7 @@ under the License. > >>>> <description>Set the Customer Request Status</description> > >>>> <attribute name="custRequestId" type="String" mode="INOUT" > optional="false"/> > >>>> <attribute name="statusId" type="String" mode="IN" > optional="false"/> > >>>> - <attribute name="reason" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="reason" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="oldStatusId" type="String" mode="OUT" > optional="true"/> > >>>> <attribute name="fromPartyId" type="String" mode="OUT" > optional="true"/><!-- for notification services --> > >>>> <attribute name="custRequestName" type="String" mode="OUT" > optional="true"/><!-- for notification services --> > >>>> @@ -192,9 +192,9 @@ under the License. > >>>> <attribute name="custRequestId" mode="IN" type="String" > optional="true"/> > >>>> <attribute name="custRequestId" mode="OUT" type="String" > optional="false"/> > >>>> <attribute name="custRequestTypeId" mode="IN" type="String" > optional="true"/> > >>>> - <attribute name="custRequestName" mode="IN" type="String" > optional="true" allow-html="safe"/> > >>>> - <attribute name="story" mode="IN" type="String" > optional="true" allow-html="safe"/> > >>>> - <override name="content" allow-html="safe"/> > >>>> + <attribute name="custRequestName" mode="IN" type="String" > optional="true" allow-html="any"/> > >>>> + <attribute name="story" mode="IN" type="String" > optional="true" allow-html="any"/> > >>>> + <override name="content" allow-html="any"/> > >>>> </service> > >>>> > >>>> <!-- custRequest content services --> > >>>> > >>>> Modified: ofbiz/trunk/applications/party/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/party/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/party/servicedef/services.xml > >>>> Mon Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. > >>>> <attribute name="externalId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="statusId" type="String" mode="IN" > optional="true"/> > >>>> <override name="groupName" optional="false"/> > >>>> - <override name="comments" allow-html="safe"/> > >>>> + <override name="comments" allow-html="any"/> > >>>> </service> > >>>> <service name="updatePartyGroup" engine="java" > default-entity-name="PartyGroup" > >>>> location="org.ofbiz.party.party.PartyServices" > invoke="updatePartyGroup" auth="true"> > >>>> @@ -133,7 +133,7 @@ under the License. > >>>> <attribute name="preferredCurrencyUomId" type="String" > mode="IN" optional="true"/> > >>>> <attribute name="externalId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="statusId" type="String" mode="IN" > optional="true"/> > >>>> - <override name="comments" allow-html="safe"/> > >>>> + <override name="comments" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="savePartyNameChange" engine="simple" > >>>> @@ -379,7 +379,7 @@ under the License. > >>>> <description>create a company/contact relationship and add the > related roles</description> > >>>> <attribute name="accountPartyId" type="String" mode="IN"/> > >>>> <attribute name="contactPartyId" type="String" mode="IN"/> > >>>> - <attribute name="comments" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="comments" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> > >>>> <!-- ContactMech services --> > >>>> @@ -768,9 +768,9 @@ under the License. > >>>> <attribute name="custRequestId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="action" type="String" mode="IN" > optional="true"/><!-- to indicate any special action like: REPLY, > >>>> REPLYALL, FORWARD or empty for no special action--> <override > name="headerString" allow-html="any"/> > >>>> - <override name="content" allow-html="safe"/> > >>>> - <override name="messageId" allow-html="safe"/> > >>>> - <override name="subject" allow-html="safe"/> > >>>> + <override name="content" allow-html="any"/> > >>>> + <override name="messageId" allow-html="any"/> > >>>> + <override name="subject" allow-html="any"/> > >>>> </service> > >>>> <service name="createCommunicationEvent" engine="simple" > >>>> location="component://party/script/org/ofbiz/party/ > communication/CommunicationEventServices.xml" > >>>> invoke="createCommunicationEventWithPermission" auth="true"> @@ > -792,9 +792,9 @@ under the License. > >>>> <auto-attributes entity-name="CommunicationEvent" > include="nonpk" mode="IN" optional="true"/> > >>>> <attribute name="contactMechPurposeTypeIdFrom" type="String" > mode="IN" optional="true"><description>Set a specific > >>>> purpose for the originator email</description></attribute> > <attribute name="oldStatusId" type="String" mode="OUT" > >>>> optional="true"/> > >>>> - <override name="messageId" allow-html="safe"/> > >>>> - <override name="content" allow-html="safe"/> > >>>> - <override name="subject" allow-html="safe"/> > >>>> + <override name="messageId" allow-html="any"/> > >>>> + <override name="content" allow-html="any"/> > >>>> + <override name="subject" allow-html="any"/> > >>>> </service> > >>>> <service name="deleteCommunicationEvent" engine="simple" > >>>> location="component://party/script/org/ofbiz/party/ > communication/CommunicationEventServices.xml" > >>>> invoke="deleteCommunicationEvent" auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/product/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/servicedef/services.xml?rev=1536324&r1=1536323&r2= > 1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/product/servicedef/services.xml (original) > +++ > >>>> ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 > 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. > >>>> <exclude field-name="lastModifiedDate"/> > >>>> <exclude field-name="lastModifiedByUserLogin"/> > >>>> </auto-attributes> > >>>> - <override name="description" allow-html="safe"/> > >>>> - <override name="longDescription" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> + <override name="longDescription" allow-html="any"/> > >>>> </service> > >>>> <service name="createProduct" default-entity-name="Product" > engine="simple" > >>>> location="component://product/ > script/org/ofbiz/product/product/ProductServices.xml" > invoke="createProduct" > >>>> auth="true"> @@ -70,8 +70,8 @@ under the License. > >>>> <attribute name="oldProductId" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="newInternalName" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="newProductName" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="newDescription" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> - <attribute name="newLongDescription" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="newDescription" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> + <attribute name="newLongDescription" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="duplicatePrices" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="duplicateIDs" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="duplicateContent" type="String" mode="IN" > optional="true"/> > >>>> @@ -392,7 +392,7 @@ under the License. > >>>> <auto-attributes mode="IN" entity-name="Content" > optional="true"/> > >>>> <attribute name="subject" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="plainBody" type="String" mode="IN" > optional="false"/> > >>>> - <attribute name="htmlBody" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="htmlBody" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <override name="contentId" optional="true" mode="INOUT"/> > >>>> </service> > >>>> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" > engine="simple" > >>>> @@ -405,7 +405,7 @@ under the License. > >>>> <attribute name="plainBodyDataResourceId" type="String" > mode="IN" optional="true"/> > >>>> <attribute name="plainBody" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="htmlBodyDataResourceId" type="String" > mode="IN" optional="true"/> > >>>> - <attribute name="htmlBody" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="htmlBody" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> <service name="createDownloadContentForProduct" > default-entity-name="ProductContent" engine="simple" > >>>> location="component://product/script/org/ofbiz/product/ > product/ProductContentServices.xml" > >>>> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 > +431,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes entity-name="Content" include="nonpk" > mode="IN" optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <override name="contentId" optional="true"/> > >>>> <override name="fromDate" optional="true"/> > >>>> </service> > >>>> @@ -441,13 +441,13 @@ under the License. > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes mode="IN" entity-name="Content" > optional="true"/> > >>>> <attribute name="textDataResourceId" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="createSimpleTextContentForAlternateLocale" > engine="simple" > >>>> location="component://product/script/org/ofbiz/product/ > product/ProductContentServices.xml" > >>>> invoke="createSimpleTextContentForAlternateLocale"> > <auto-attributes mode="IN" entity-name="Content" optional="true"/> > >>>> <attribute name="mainContentId" type="String" mode="IN" > optional="false"/> - <attribute name="text" type="String" > >>>> mode="IN" optional="false" allow-html="safe"/> + <attribute > name="text" type="String" mode="IN" optional="false" > >>>> allow-html="any"/> <override name="localeString" > optional="false"/> > >>>> <override name="contentId" mode="INOUT"/> > >>>> </service> > >>>> @@ -967,7 +967,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes entity-name="Content" include="nonpk" > mode="IN" optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <override name="contentId" optional="true"/> > >>>> <override name="fromDate" optional="true"/> > >>>> </service> > >>>> @@ -977,7 +977,7 @@ under the License. > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes entity-name="Content" include="nonpk" > mode="IN" optional="true"/> > >>>> <attribute name="textDataResourceId" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="updateContentSEOForCategory" engine="simple" > >>>> @@ -1201,7 +1201,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="true"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes mode="IN" entity-name="Content" > optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="false" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="false" allow-html="any"/> > >>>> <override name="contentId" optional="true"/> > >>>> </service> > >>>> <service name="updateSimpleTextContentForProductConfigItem" > default-entity-name="ProdConfItemContent" engine="simple" > >>>> @@ -1210,7 +1210,7 @@ under the License. > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <auto-attributes mode="IN" entity-name="Content" > optional="true"/> > >>>> <attribute name="textDataResourceId" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="text" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="text" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> </service> > >>>> <service name="getProductFeaturesByType" engine="java" > >>>> location="org.ofbiz.product.feature.ProductFeatureServices" > invoke="getProductFeaturesByType"> > >>>> > >>>> Modified: ofbiz/trunk/applications/product/servicedef/services_ > pricepromo.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > product/servicedef/services_pricepromo.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml > (original) +++ > >>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml > Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the > >>>> License. <exclude field-name="lastModifiedByUserLogin"/> > >>>> </auto-attributes> > >>>> <override name="promoName" optional="false"/> > >>>> - <override name="promoText" allow-html="safe"/> > >>>> + <override name="promoText" allow-html="any"/> > >>>> </service> > >>>> <service name="updateProductPromo" default-entity-name="ProductPromo" > engine="simple" > >>>> location="component://product/ > script/org/ofbiz/product/promo/PromoServices.xml" > invoke="updateProductPromo" > >>>> auth="true"> @@ -150,7 +150,7 @@ under the License. > >>>> <exclude field-name="lastModifiedDate"/> > >>>> <exclude field-name="lastModifiedByUserLogin"/> > >>>> </auto-attributes> > >>>> - <override name="promoText" allow-html="safe"/> > >>>> + <override name="promoText" allow-html="any"/> > >>>> </service> > >>>> <service name="deleteProductPromo" default-entity-name="ProductPromo" > engine="simple" > >>>> location="component://product/ > script/org/ofbiz/product/promo/PromoServices.xml" > invoke="deleteProductPromo" > >>>> auth="true"> > >>>> > >>>> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ > workeffort/servicedef/services.xml?rev=1536324&r1= > 1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml > (original) +++ > >>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct > 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. > >>>> <exclude field-name="lastModifiedDate"/> > >>>> <exclude field-name="lastModifiedByUserLogin"/> > >>>> </auto-attributes> > >>>> - <override name="workEffortName" allow-html="safe"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="workEffortName" allow-html="any"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="createWorkEffort" default-entity-name="WorkEffort" > engine="simple" > >>>> location="component://workeffort/script/org/ofbiz/ > workeffort/workeffort/WorkEffortSimpleServices.xml" > >>>> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. > >>>> <attribute name="communicationEventId" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/><!-- for notification services --> > >>>> <override name="workEffortTypeId" optional="false"/> > >>>> - <override name="workEffortName" optional="false" > allow-html="safe"/> > >>>> + <override name="workEffortName" optional="false" > allow-html="any"/> > >>>> <override name="currentStatusId" optional="false"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="createWorkEffortAndPartyAssign" > default-entity-name="WorkEffort" engine="simple" > >>>> location="component://workeffort/script/org/ofbiz/ > workeffort/workeffort/WorkEffortSimpleServices.xml" > >>>> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under > the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false" > entity-name="CustRequestWorkEffort"/> > >>>> <auto-attributes include="all" mode="IN" optional="true" > entity-name="CustRequest"/> > >>>> <override name="custRequestId" optional="true" mode="INOUT"/> > >>>> - <override name="description" allow-html="safe"/> > >>>> + <override name="description" allow-html="any"/> > >>>> </service> > >>>> <service name="deleteWorkEffortRequest" engine="simple" > >>>> location="component://workeffort/script/org/ofbiz/ > workeffort/workeffort/WorkEffortSimpleServices.xml" > >>>> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a > CustRequestWorkEffort</description> > >>>> > >>>> Modified: ofbiz/trunk/framework/common/servicedef/services.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ > servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ > ofbiz/trunk/framework/common/servicedef/services.xml Mon > >>>> Oct 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. > >>>> <description>Create a new note record</description> > >>>> <attribute name="partyId" type="String" mode="INOUT" > optional="true"/> > >>>> <attribute name="noteName" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="note" type="String" mode="IN" > allow-html="safe"/> > >>>> + <attribute name="note" type="String" mode="IN" > allow-html="any"/> > >>>> <attribute name="noteId" type="String" mode="OUT"/> > >>>> </service> > >>>> > >>>> @@ -72,7 +72,7 @@ under the License. > >>>> <description>Update a note record</description> > >>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> - <override name="noteInfo" allow-html="safe"/> > >>>> + <override name="noteInfo" allow-html="any"/> > >>>> </service> > >>>> > >>>> <service name="adjustDebugLevels" engine="java" > >>>> @@ -109,7 +109,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="OUT" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <override name="enumTypeId" optional="false"/> > >>>> - <override name="description" optional="false" > allow-html="safe"/> > >>>> + <override name="description" optional="false" > allow-html="any"/> > >>>> </service> > >>>> <service name="updateEnumeration" default-entity-name="Enumeration" > engine="simple" > >>>> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" > invoke="updateEnumeration" auth="true"> > >>>> @@ -118,7 +118,7 @@ under the License. > >>>> <auto-attributes include="pk" mode="IN" optional="false"/> > >>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> > >>>> <override name="enumTypeId" optional="false"/> > >>>> - <override name="description" optional="false" > allow-html="safe"/> > >>>> + <override name="description" optional="false" > allow-html="any"/> > >>>> </service> > >>>> <service name="deleteEnumeration" default-entity-name="Enumeration" > engine="entity-auto" invoke="delete" auth="true"> > >>>> <description>Delete a Enumeration</description> > >>>> > >>>> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ > servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml > (original) +++ > >>>> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct > 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. > >>>> <attribute name="sendFailureNotification" mode="IN" > type="Boolean" optional="true"/> > >>>> <attribute name="sendPartial" mode="IN" type="Boolean" > optional="true"/> > >>>> <attribute name="startTLSEnabled" mode="IN" type="Boolean" > optional="true"/> > >>>> - <attribute name="subject" type="String" mode="INOUT" > optional="true" allow-html="safe"/> > >>>> + <attribute name="subject" type="String" mode="INOUT" > optional="true" allow-html="any"/> > >>>> <attribute name="contentType" type="String" mode="INOUT" > optional="true"/> > >>>> <attribute name="partyId" type="String" mode="INOUT" > optional="true"/> > >>>> <attribute name="messageId" type="String" mode="INOUT" > optional="true"/> > >>>> @@ -56,7 +56,7 @@ under the License. > >>>> <service name="sendMailOnePartInterface" engine="interface" > location="" invoke=""> > >>>> <description>Interface service for sendMail* > services.</description> > >>>> <implements service="sendMailInterface"/> > >>>> - <attribute name="body" type="String" mode="INOUT" > optional="false" allow-html="safe"/> > >>>> + <attribute name="body" type="String" mode="INOUT" > optional="false" allow-html="any"/> > >>>> <override name="contentType" mode="INOUT"/> > >>>> <override name="subject" mode="INOUT" optional="false"/> > >>>> <override name="emailType" type="String" mode="INOUT" > optional="true"/> > >>>> @@ -98,12 +98,12 @@ under the License. > >>>> <implements service="sendMailInterface"/> > >>>> <attribute name="bodyUrl" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="bodyUrlParameters" type="Map" mode="IN" > optional="true"/> > >>>> - <attribute name="body" type="String" mode="OUT" > optional="false" allow-html="safe"/> > >>>> + <attribute name="body" type="String" mode="OUT" > optional="false" allow-html="any"/> > >>>> </service> > >>>> <service name="sendMailFromScreenInterface" engine="interface" > location="" invoke=""> > >>>> <description>Interface service for E-Mail sent From Screen > Widget</description> > >>>> <implements service="sendMailInterface"/> > >>>> - <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="bodyScreenUri" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="xslfoAttachScreenLocation" type="String" > mode="IN" optional="true"/> > >>>> <attribute name="attachmentName" type="String" mode="IN" > optional="true"/> > >>>> @@ -132,7 +132,7 @@ under the License. > >>>> <implements service="sendMailInterface"/> > >>>> <attribute name="emailTemplateSettingId" type="String" > mode="IN" optional="false"/> > >>>> <attribute name="partyIdTo" type="String" mode="IN" > optional="true"/> > >>>> - <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="bodyText" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="attachmentName" type="String" mode="IN" > optional="true"/> > >>>> <attribute name="bodyParameters" type="Map" mode="IN" > optional="true"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/> > >>>> @@ -143,8 +143,8 @@ under the License. > >>>> location="" invoke=""> > >>>> <description>Send Template Based Notification > Service</description> > >>>> <implements service="sendMailInterface"/> > >>>> - <attribute name="body" type="String" mode="INOUT" > optional="true" allow-html="safe"/> > >>>> - <attribute name="baseUrl" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="body" type="String" mode="INOUT" > optional="true" allow-html="any"/> > >>>> + <attribute name="baseUrl" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="templateName" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="templateData" type="Map" mode="IN" > optional="true"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/> > >>>> @@ -153,7 +153,7 @@ under the License. > >>>> location="" invoke=""> > >>>> <description>Send Template Based Notification > Service</description> > >>>> <implements service="prepareNotificationInterface"/> > >>>> - <attribute name="body" type="String" mode="IN" > optional="true" allow-html="safe"/> > >>>> + <attribute name="body" type="String" mode="IN" > optional="true" allow-html="any"/> > >>>> <attribute name="templateName" type="String" mode="IN" > optional="false"/> > >>>> <attribute name="templateData" type="Map" mode="IN" > optional="true"/> > >>>> <attribute name="webSiteId" type="String" mode="IN" > optional="true"/> > >>>> > >>>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd > >>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ > dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff > >>>> ============================================================ > ================== > >>>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) > >>>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 > 12:12:43 2013 > >>>> @@ -106,6 +106,7 @@ under the License. > >>>> If set to true and there is a transaction already > in place the Service Engine will suspend that transaction, > >>>> begin a new one just for this service, commit or > rollback the local transaction when the service is > >>>> complete, and will resume the original > transaction. If set to true and there is no transaction already in > >>>> place it will just begin a transaction and manage it as would be done > for a normal user-transaction=true. If > >>>> use-transaction=false this setting is ignored. + > Beware: using require-new-transaction=true > >>>> in a service called (maybe not directly) by a pre-invoke > or earlier event ( preprocessor, firstvisit and so on) is > >>>> not yet supported. </xs:documentation> </xs:annotation> > <xs:simpleType> > >>>> @@ -348,11 +349,18 @@ under the License. > >>>> </xs:simpleType> > >>>> </xs:attribute> > >>>> <xs:attribute name="allow-html" use="optional" default="none"> > >>>> - <xs:annotation><xs:documentation>See the documentation > on the allow-html attribute of the "attribute" > >>>> element.</xs:documentation></xs:annotation> + > <xs:annotation> > >>>> + <xs:documentation> > >>>> + Applies only to String fields. > >>>> + Only checked for incoming parameters/attributes > (could change in the future, but this is meant for > >>>> validating input from users, other systems, etc). + > Defaults to "none" meaning no HTML is allowed (will > >>>> result in an error message). + If some HTML is > desired then use "any". > >>>> + There was previously "safe" but it's deprecated > >>>> + </xs:documentation> > >>>> + </xs:annotation> > >>>> <xs:simpleType> > >>>> <xs:restriction base="xs:token"> > >>>> <xs:enumeration value="any"/> > >>>> - <xs:enumeration value="safe"/> > >>>> <xs:enumeration value="none"/> > >>>> </xs:restriction> > >>>> </xs:simpleType> > >>>> @@ -424,13 +432,12 @@ under the License. > >>>> Applies only to String fields. > >>>> Only checked for incoming parameters/attributes (could > change in the future, but this is meant for validating > >>>> input from users, other systems, etc). Defaults to > "none" meaning no HTML is allowed (will result in an error > >>>> message). > >>>> - If some HTML is desired then use "safe" which will > follow the rules in the antisamy-esapi.xml file. This > >>>> should be safe for both internal and public users. > >>>> - In rare cases when users are trusted or it is not a > sensitive field the "any" option may be used to not check > >>>> the HTML content at all. + If some HTML is desired > then use "any". > >>>> + There was previously "safe" but it's deprecated > >>>> </xs:documentation></xs:annotation> > >>>> <xs:simpleType> > >>>> <xs:restriction base="xs:token"> > >>>> <xs:enumeration value="any"/> > >>>> - <xs:enumeration value="safe"/> > >>>> <xs:enumeration value="none"/> > >>>> </xs:restriction> > >>>> </xs:simpleType> > >>>> @@ -477,11 +484,18 @@ under the License. > >>>> </xs:simpleType> > >>>> </xs:attribute> > >>>> <xs:attribute name="allow-html" use="optional"> > >>>> - <xs:annotation><xs:documentation>See the documentation > on the allow-html attribute of the "attribute" element. > >>>> Note that it is slightly different here as there is no > defualt.</xs:documentation></xs:annotation> + <xs:annotation> > >>>> + <xs:documentation> > >>>> + Applies only to String fields. > >>>> + Only checked for incoming parameters/attributes > (could change in the future, but this is meant for > >>>> validating input from users, other systems, etc). + > There is no default, "none" means no HTML is allowed > >>>> (will result in an error message). + If some HTML > is desired then use "any". > >>>> + There was previously "safe" but it's deprecated > >>>> + </xs:documentation> > >>>> + </xs:annotation> > >>>> <xs:simpleType> > >>>> <xs:restriction base="xs:token"> > >>>> <xs:enumeration value="any"/> > >>>> - <xs:enumeration value="safe"/> > >>>> <xs:enumeration value="none"/> > >>>> </xs:restriction> > >>>> </xs:simpleType> > >>>> > >>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ > ModelService.java > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ > src/org/ofbiz/service/ModelService.java?rev=1536324& > r1=1536323&r2=1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java > (original) +++ > >>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java > Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public > >>>> class ModelService extends Abstra // required and type > validation complete, do allow-html validation > >>>> if ("IN".equals(mode)) { > >>>> List<String> errorMessageList = FastList.newInstance(); > >>>> - for (ModelParam modelParam: this.contextInfo.values()) { > >>>> - if (context.get(modelParam.name) != null && > >>>> - ("String".equals(modelParam.type) || > "java.lang.String".equals(modelParam.type)) && > >>>> - !"any".equals(modelParam.allowHtml) && > >>>> - ("INOUT".equals(modelParam.mode) || > "IN".equals(modelParam.mode))) { > >>>> - // the param is a String, allow-html is none or > safe, and we are looking at an IN parameter during input > >>>> parameter validation + for (ModelParam modelParam : > this.contextInfo.values()) { > >>>> + // the param is a String, allow-html is not any, and > we are looking at an IN parameter during input parameter > >>>> validation + if (context.get(modelParam.name) != null > && ("String".equals(modelParam.type) || > >>>> "java.lang.String".equals(modelParam.type)) + > && !"any".equals(modelParam.allowHtml) && > >>>> ("INOUT".equals(modelParam.mode) || > "IN".equals(modelParam.mode))) { String value = (String) > >>>> context.get(modelParam.name); > >>>> - if ("none".equals(modelParam.allowHtml)) { > >>>> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, > value, errorMessageList); > >>>> - } else if ("safe".equals(modelParam.allowHtml)) > { > >>>> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, > value, errorMessageList); > >>>> - } > >>>> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, > value, errorMessageList); > >>>> } > >>>> } > >>>> if (errorMessageList.size() > 0) { > >>>> > >>>> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services. > xml > >>>> URL: > >>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ > ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2= > 1536324&view=diff > >>>> ============================================================================== > --- > >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml > (original) +++ > >>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct > 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. > >>>> <attribute name="itemId" mode="IN" type="String" > optional="false"/> > >>>> <attribute name="listingType" mode="IN" type="String" > optional="true"/> > >>>> <attribute name="title" mode="IN" type="String" > optional="true"/> > >>>> - <attribute name="description" mode="IN" type="String" > allow-html="safe"/> > >>>> + <attribute name="description" mode="IN" type="String" > allow-html="any"/> > >>>> <attribute name="price" mode="IN" type="String" > optional="true"/> > >>>> <attribute name="currencyId" mode="IN" type="String" > optional="true"/> > >>>> <attribute mode="IN" name="imageData" optional="true" > type="java.nio.ByteBuffer"/> > |
Administrator
|
Hi Scott, Jacopo, All,
I have finally reopened OFBIZ-5254 as I propose a solution for this issue in a new patch. checkStringForHtmlSafeOnly() is still a WIP and can be improved, fortunately by using extendible policies Jacques Le 03/09/2016 à 11:27, Jacopo Cappellato a écrit : > I am resurrecting this old thread, because I think that Scott's remarks and > concerns to Jacques' commit were valid and the response of Jacques was not > satisfactory: in fact the two tickets Jacques mentioned have been resolved > but the issues that Scott identified in Jacques' commit are still there. > We should consider reverting the commit but my post for now is as a > reminder and to restart the conversation. > > Jacopo > > > On Sat, Dec 28, 2013 at 12:54 AM, Jacques Le Roux < > [hidden email]> wrote: > >> That's why https://issues.apache.org/jira/browse/OFBIZ-5254 is not >> closed, just resolved as incomplete. In other word it's a temporary >> unsatisfying solution. >> The idea is to continue https://issues.apache.org/jira/browse/OFBIZ-5343 >> All good wills are welcome >> >> Jacques >> >> On Friday, December 27, 2013 11:20 PM [hidden email] wrote >>> "safe" should not have been deprecated. The input should have just been >> cleansed as an interim measure until a better solution >>> could be found. >>> >>> Regards >>> Scott >>> >>> On 27/12/2013, at 9:37 PM, Jacques Le Roux wrote: >>> >>>> I agree, it's in my long TODO list... >>>> >>>> Jacques >>>> >>>> On Friday, December 27, 2013 8:43 PM [hidden email] wrote >>>>> This is not a fix, the problem was that "safe" wasn't filtering unsafe >> html or returning an error. Taking all "safe" input >>>>> parameters and making them "any" because "safe" wasn't working as >> intended is a bit silly to say the least. >>>>> Regards >>>>> Scott >>>>> >>>>> On 28/10/2013, at 12:12 PM, [hidden email] wrote: >>>>> >>>>>> Author: jleroux >>>>>> Date: Mon Oct 28 12:12:43 2013 >>>>>> New Revision: 1536324 >>>>>> >>>>>> URL: http://svn.apache.org/r1536324 >>>>>> Log: >>>>>> Fixes <<Services allow arbitrary HTML for parameters with allow-html >> set to "safe">> >>>>>> https://issues.apache.org/jira/browse/OFBIZ-5254 >>>>>> >>>>>> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the >> same: they do nothing! The only difference is the warning >>>>>> message from the OWASP Antisamy IntrusionDetector, which is both, as >> Christoph noted "giving you a false sense of security" or >>>>>> as I wrote "disturbing, wrong and useless". So there are no longer >> any reasons for differencing "safe" and "any". >>>>>> This >>>>>> * Deprecates "safe" (making it clear in the XSD documentation), >> keeping only "none" and "any". This is for backward >>>>>> compatibility, else we could completely remove the misleading "safe". >> Note that "none" is the default. >>>>>> * Replaces in services definition all allow-html="safe" by >> allow-html="any" >>>>>> * Remove from ModelService.java (near line 587) the code which throws >> the OWASP Antisamy IntrusionDetector message in log >>>>>> Modified: >>>>>> ofbiz/trunk/applications/accounting/servicedef/ >> services_agreement.xml >>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>>>>> ofbiz/trunk/applications/content/servicedef/services.xml >>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml >>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml >>>>>> ofbiz/trunk/applications/marketing/servicedef/services_ >> opportunity.xml >>>>>> ofbiz/trunk/applications/order/servicedef/services.xml >>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml >>>>>> ofbiz/trunk/applications/party/servicedef/services.xml >>>>>> ofbiz/trunk/applications/product/servicedef/services.xml >>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>>>> ofbiz/trunk/framework/common/servicedef/services.xml >>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml >>>>>> ofbiz/trunk/framework/service/dtd/services.xsd >>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ >> ModelService.java >>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>>>>> >>>>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ >> services_agreement.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> accounting/servicedef/services_agreement.xml?rev= >> 1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >> Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the >>>>>> License. <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="CREATE"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="pk" mode="OUT" optional="true"/> >>>>>> - <override name="textData" allow-html="safe"/> >>>>>> + <override name="textData" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateAgreement" default-entity-name="Agreement" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the >> License. >>>>>> <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="UPDATE"/> >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="textData" allow-html="safe"/> >>>>>> + <override name="textData" allow-html="any"/> >>>>>> </service> >>>>>> <service name="cancelAgreement" default-entity-name="Agreement" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the >> License. >>>>>> <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="CREATE"/> >>>>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="agreementText" allow-html="safe"/> >>>>>> + <override name="agreementText" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateAgreementItem" default-entity-name="AgreementItem" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the >> License. >>>>>> <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="UPDATE"/> >>>>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="agreementText" allow-html="safe"/> >>>>>> + <override name="agreementText" allow-html="any"/> >>>>>> </service> >>>>>> <service name="removeAgreementItem" default-entity-name="AgreementItem" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the >> License. >>>>>> <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="CREATE"/> >>>>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="textValue" allow-html="safe"/> >>>>>> + <override name="textValue" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the >> License. >>>>>> <permission-service service-name="acctgAgreementPermissionCheck" >> main-action="UPDATE"/> >>>>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="textValue" allow-html="safe"/> >>>>>> + <override name="textValue" allow-html="any"/> >>>>>> </service> >>>>>> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" >> engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/agreement/AgreementServices.xml" >>>>>> invoke="deleteAgreementTerm" auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ >> services_invoice.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> accounting/servicedef/services_invoice.xml?rev= >> 1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >> Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the >>>>>> License. <override name="invoiceTypeId" mode="IN" >> optional="false"/> >>>>>> <override name="partyIdFrom" mode = "IN" optional="false"/> >>>>>> <override name="partyId" mode = "IN" optional="false"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="invoiceMessage" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="invoiceMessage" allow-html="any"/> >>>>>> </service> >>>>>> <service name="copyInvoice" engine="simple" >> default-entity-name="Invoice" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> >>>>>> @@ -80,8 +80,8 @@ under the License. >>>>>> <permission-service service-name="acctgInvoicePermissionCheck" >> main-action="UPDATE"/> >>>>>> <auto-attributes mode="IN" include="pk" optional="false"/> >>>>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="invoiceMessage" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="invoiceMessage" allow-html="any"/> >>>>>> </service> >>>>>> <service name="setInvoiceStatus" engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> >>>>>> @@ -117,7 +117,7 @@ under the License. >>>>>> <auto-attributes mode="IN" include="pk" optional="false"/> >>>>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>> <override name="invoiceItemSeqId" mode="INOUT" >> optional="true"/><!-- will optionally be assigned by the system --> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateInvoiceItem" engine="simple" >> default-entity-name="InvoiceItem" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> >>>>>> @@ -125,7 +125,7 @@ under the License. >>>>>> <permission-service service-name="acctgInvoicePermissionCheck" >> main-action="UPDATE"/> >>>>>> <auto-attributes mode="INOUT" include="pk" optional="false"/> >>>>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="removeInvoiceItem" engine="simple" >> default-entity-name="InvoiceItem" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> >>>>>> @@ -276,7 +276,7 @@ under the License. >>>>>> <attribute name="sendTo" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="sendCc" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="subject" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="other" type="String" mode="IN" >> optional="true"/><!-- to send the invoice in the 'other' currency (y) >>>>>> --> </service> >>>>>> <service name="checkInvoicePaymentApplications" engine="java" >>>>>> @@ -412,7 +412,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes entity-name="Content" include="nonpk" >> mode="IN" optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <override name="contentId" optional="true"/> >>>>>> <override name="fromDate" optional="true"/> >>>>>> </service> >>>>>> @@ -422,7 +422,7 @@ under the License. >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes mode="IN" entity-name="Content" >> optional="true"/> >>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> <service name="isInvoiceInForeignCurrency" engine="simple" >>>>>> location="component://accounting/script/org/ofbiz/ >> accounting/invoice/InvoiceServices.xml" >>>>>> invoke="isInvoiceInForeignCurrency" auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> content/servicedef/services.xml?rev=1536324&r1=1536323&r2= >> 1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/content/servicedef/services.xml (original) >> +++ >>>>>> ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 >> 12:12:43 2013 @@ -291,12 +291,12 @@ >>>>>> <service name="createSimpleTextContent" engine="simple" >>>>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" >> invoke="createSimpleTextContent"> >>>>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - >> <attribute name="text" type="String" mode="IN" >>>>>> optional="false" allow-html="safe"/> + <attribute name="text" >> type="String" mode="IN" optional="false" >>>>>> allow-html="any"/> <override name="contentId" mode="INOUT"/> >>>>>> </service> >>>>>> <service name="updateSimpleTextContent" engine="simple" >>>>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" >> invoke="updateSimpleTextContent"> >>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >> optional="true"/> - <attribute name="text" type="String" >>>>>> mode="IN" optional="true" allow-html="safe"/> + <attribute >> name="text" type="String" mode="IN" optional="true" >>>>>> allow-html="any"/> </service> >>>>>> >>>>>> <!-- Util --> >>>>>> @@ -452,7 +452,7 @@ >>>>>> <attribute mode="IN" name="forceElectronicText" >> optional="true" type="String"/> >>>>>> <attribute mode="IN" name="displayFailCond" optional="true" >> type="Boolean"/> >>>>>> <attribute mode="INOUT" name="roleTypeList" optional="true" >> type="List"/> >>>>>> - <override name="textData" allow-html="safe"/> >>>>>> + <override name="textData" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="persistDataResourceAndData" engine="java" >>>>>> @@ -1052,8 +1052,8 @@ >>>>>> <attribute name="statusId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="description" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="templateDataResourceId" type="String" >> mode="IN" optional="true"/> >>>>>> - <attribute name="articleData" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> - <attribute name="summaryData" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="articleData" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> + <attribute name="summaryData" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateBlogEntry" engine="simple" auth="true" >>>>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" >> invoke="updateBlogEntry"> >>>>>> @@ -1065,8 +1065,8 @@ >>>>>> <attribute name="statusId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="description" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="templateDataResourceId" type="String" >> mode="IN" optional="true"/> >>>>>> - <attribute name="articleData" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> - <attribute name="summaryData" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="articleData" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> + <attribute name="summaryData" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> <service name="getBlogEntry" engine="simple" auth="true" >>>>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" >> invoke="getBlogEntry"> >>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ >> content.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> content/servicedef/services_content.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon >> Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ >>>>>> <attribute name="fromDate" type="Timestamp" mode="IN" >> optional="true"/> >>>>>> <attribute name="sequenceNum" type="Long" mode="IN" >> optional="true"/> >>>>>> <override name="contentTypeId" default-value="DOCUMENT"/> >>>>>> - <override name="contentName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="contentName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="createTextAndUploadedContent" engine="simple" >> auth="true" >>>>>> @@ -131,8 +131,8 @@ >>>>>> <attribute mode="IN" name="displayFailCond" optional="true" >> type="Boolean"/> >>>>>> <attribute mode="INOUT" name="roleTypeList" optional="true" >> type="List"/> >>>>>> <!-- end of depricated fields --> >>>>>> - <override name="contentName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="contentName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="updateTextContent" engine="group" auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ >> data.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> content/servicedef/services_data.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon >> Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ >>>>>> <attribute name="dataResourceId" type="String" mode="OUT" >> optional="false"/> >>>>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" >> mode="OUT" optional="true"/> >>>>>> <attribute name="uploadedFile" type="java.nio.ByteBuffer" >> mode="IN" optional="true"/> >>>>>> - <override name="objectInfo" allow-html="safe"/> >>>>>> - <override name="dataResourceName" allow-html="safe"/> >>>>>> + <override name="objectInfo" allow-html="any"/> >>>>>> + <override name="dataResourceName" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createDataResourceAndAssocToContent" >> default-entity-name="DataResource" engine="simple" >>>>>> location="component://content/ >> script/org/ofbiz/content/data/DataServices.xml" >>>>>> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 >> +59,8 @@ >>>>>> <attribute name="skipPermissionCheck" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="dataResourceId" type="String" mode="OUT" >> optional="false"/> >>>>>> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" >> mode="OUT" optional="true"/> >>>>>> - <override name="objectInfo" allow-html="safe"/> >>>>>> - <override name="dataResourceName" allow-html="safe"/> >>>>>> + <override name="objectInfo" allow-html="any"/> >>>>>> + <override name="dataResourceName" allow-html="any"/> >>>>>> </service> >>>>>> <service name="removeDataResource" engine="simple" >> default-entity-name="DataResource" auth="true" >>>>>> location="component://content/ >> script/org/ofbiz/content/data/DataServices.xml" >> invoke="deleteDataResource"> >>>>>> @@ -90,7 +90,7 @@ >>>>>> <description>Create a DataResource and, possibly, >> ElectronicText or ImageDataResource</description> >>>>>> <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <attribute name="textData" mode="IN" optional="true" >> type="String" allow-html="safe"/> >>>>>> + <attribute name="textData" mode="IN" optional="true" >> type="String" allow-html="any"/> >>>>>> <attribute name="targetOperationList" type="List" mode="IN" >> optional="true"/> >>>>>> <attribute name="contentPurposeList" type="List" mode="IN" >> optional="true"/> >>>>>> <attribute name="skipPermissionCheck" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -100,7 +100,7 @@ >>>>>> <description>Create a DataResource and, possibly, >> ElectronicText or ImageDataResource</description> >>>>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <attribute name="textData" mode="IN" type="String" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="textData" mode="IN" type="String" >> optional="true" allow-html="any"/> >>>>>> <attribute name="targetOperationList" type="List" mode="IN" >> optional="true"/> >>>>>> <attribute name="contentPurposeList" type="List" mode="IN" >> optional="true"/> >>>>>> <attribute name="skipPermissionCheck" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -115,7 +115,7 @@ >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <override name="dataResourceTypeId" default-value="ELECTRONIC_ >> TEXT"/> >>>>>> - <override name="textData" allow-html="safe"/> >>>>>> + <override name="textData" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateElectronicText" default-entity-name="ElectronicText" >> engine="simple" >>>>>> location="component://content/ >> script/org/ofbiz/content/data/DataServices.xml" >> invoke="updateElectronicText" >>>>>> auth="true"> @@ -124,7 +124,7 @@ >>>>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <attribute name="contentId" mode="INOUT" optional="true" >> type="String"/><!-- to optionaly know where this text is >>>>>> belonging to --> - <override name="textData" >> allow-html="safe"/> >>>>>> + <override name="textData" allow-html="any"/> >>>>>> </service> >>>>>> <service name="removeElectronicText" default-entity-name="ElectronicText" >> engine="simple" >>>>>> location="component://content/ >> script/org/ofbiz/content/data/DataServices.xml" >> invoke="removeElectronicText" >>>>>> auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/marketing/servicedef/services_ >> opportunity.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> marketing/servicedef/services_opportunity.xml?rev=1536324& >> r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >> Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the >>>>>> License. </auto-attributes> >>>>>> <attribute name="accountPartyId" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute name="leadPartyId" mode="IN" type="String" >> optional="true"/> >>>>>> - <override name="opportunityName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="nextStep" allow-html="safe"/> >>>>>> + <override name="opportunityName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="nextStep" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateSalesOpportunity" engine="simple" >> default-entity-name="SalesOpportunity" >>>>>> location="component://order/script/org/ofbiz/order/ >> opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> >>>>>> @@ -89,9 +89,9 @@ under the License. >>>>>> <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>> <attribute name="accountPartyId" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute name="leadPartyId" mode="IN" type="String" >> optional="true"/> >>>>>> - <override name="opportunityName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="nextStep" allow-html="safe"/> >>>>>> + <override name="opportunityName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="nextStep" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createSalesOpportunityRole" engine="simple" >> default-entity-name="SalesOpportunityRole" >>>>>> location="component://order/script/org/ofbiz/order/ >> opportunity/OpportunityServices.xml" >>>>>> invoke="createSalesOpportunityRole"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/order/servicedef/services.xml (original) >> +++ ofbiz/trunk/applications/order/servicedef/services.xml >>>>>> Mon Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. >>>>>> location="org.ofbiz.order.order.OrderServices" >> invoke="createOrderNote" auth="true"> >>>>>> <description>Create a note item and associate with a order >> header</description> >>>>>> <attribute name="orderId" type="String" mode="IN"/> >>>>>> - <attribute name="note" type="String" mode="IN" >> allow-html="safe"/> >>>>>> + <attribute name="note" type="String" mode="IN" >> allow-html="any"/> >>>>>> <attribute name="internalNote" type="String" mode="IN"/> >>>>>> <attribute name="noteName" type="String" mode="IN" >> optional="true"/> >>>>>> </service> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ >> quote.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> order/servicedef/services_quote.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct >> 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. >>>>>> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" >> invoke="createQuoteNote" auth="true"> >>>>>> <description>Create a note item and associate with a >> quote</description> >>>>>> <attribute name="quoteId" type="String" mode="IN"/> >>>>>> - <attribute name="noteInfo" type="String" mode="IN" >> allow-html="safe"/> >>>>>> + <attribute name="noteInfo" type="String" mode="IN" >> allow-html="any"/> >>>>>> <attribute name="noteName" type="String" mode="IN" >> optional="true"/> >>>>>> </service> >>>>>> </services> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ >> request.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> order/servicedef/services_request.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon >> Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="all" mode="IN" >> entity-name="CustRequestItem" optional="true"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/><!-- for notification services --> >>>>>> - <override name="custRequestName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="story" allow-html="safe"/> >>>>>> + <override name="custRequestName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="story" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateCustRequest" engine="simple" >> default-entity-name="CustRequest" >>>>>> location="component://order/script/org/ofbiz/order/ >> request/CustRequestServices.xml" invoke="updateCustRequest" >>>>>> auth="true"> @@ -52,10 +52,10 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <attribute name="oldStatusId" type="String" mode="OUT"/> >>>>>> - <attribute name="story" mode="IN" type="String" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="story" mode="IN" type="String" >> optional="true" allow-html="any"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/><!-- for notification services --> >>>>>> - <override name="custRequestName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="custRequestName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="deleteCustRequest" engine="simple" >> default-entity-name="CustRequest" >>>>>> @@ -86,16 +86,16 @@ under the License. >>>>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <override name="custRequestItemSeqId" optional="true"/> >>>>>> - <override name="story" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="story" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateCustRequestItem" engine="simple" >> default-entity-name="CustRequestItem" >>>>>> location="component://order/script/org/ofbiz/order/ >> request/CustRequestServices.xml" invoke="updateCustRequestItem" >>>>>> auth="true"> <description>Update a CustRequestItem >> record</description> >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="story" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="story" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" >> engine="simple" >>>>>> location="component://order/script/org/ofbiz/order/ >> request/CustRequestServices.xml" invoke="copyCustRequestItem" >>>>>> auth="true"> @@ -129,7 +129,7 @@ under the License. >>>>>> location="component://order/script/org/ofbiz/order/ >> request/CustRequestServices.xml" invoke="createCustRequestNote" >>>>>> auth="true"> <description>Create a note for a >> CustRequest</description> >>>>>> <attribute name="custRequestId" type="String" mode="IN" >> optional="false"/> >>>>>> - <attribute name="noteInfo" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="noteInfo" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <attribute name="noteId" type="String" mode="OUT" >> optional="false"/> >>>>>> <attribute name="fromPartyId" type="String" mode="OUT" >> optional="true"/><!-- party to be notified --> >>>>>> <attribute name="custRequestName" type="String" mode="OUT" >> optional="true"/><!-- for notification services --> >>>>>> @@ -138,7 +138,7 @@ under the License. >>>>>> location="component://order/script/org/ofbiz/order/ >> request/CustRequestServices.xml" invoke="updateCustRequestNote" >>>>>> auth="true"> <description>Update CustRequest Note</description> >>>>>> <attribute name="custRequestId" type="String" mode="IN" >> optional="false"/> >>>>>> - <attribute name="noteId" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="noteId" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <attribute name="noteInfo" type="String" mode="IN" >> optional="true"/> >>>>>> </service> >>>>>> <service name="createCustRequestItemNote" engine="simple" >>>>>> @@ -146,7 +146,7 @@ under the License. >>>>>> <description>Create a note for a CustRequestItem</description> >>>>>> <attribute name="custRequestId" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="custRequestItemSeqId" type="String" mode="IN" >> optional="false"/> >>>>>> - <attribute name="note" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="note" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <attribute name="noteId" type="String" mode="OUT" >> optional="false"/> >>>>>> <attribute name="partyId" type="String" mode="INOUT" >> optional="true"/><!-- party who created the note --> >>>>>> <attribute name="fromPartyId" type="String" mode="OUT" >> optional="true"/><!-- party to be notified --> >>>>>> @@ -178,7 +178,7 @@ under the License. >>>>>> <description>Set the Customer Request Status</description> >>>>>> <attribute name="custRequestId" type="String" mode="INOUT" >> optional="false"/> >>>>>> <attribute name="statusId" type="String" mode="IN" >> optional="false"/> >>>>>> - <attribute name="reason" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="reason" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="oldStatusId" type="String" mode="OUT" >> optional="true"/> >>>>>> <attribute name="fromPartyId" type="String" mode="OUT" >> optional="true"/><!-- for notification services --> >>>>>> <attribute name="custRequestName" type="String" mode="OUT" >> optional="true"/><!-- for notification services --> >>>>>> @@ -192,9 +192,9 @@ under the License. >>>>>> <attribute name="custRequestId" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute name="custRequestId" mode="OUT" type="String" >> optional="false"/> >>>>>> <attribute name="custRequestTypeId" mode="IN" type="String" >> optional="true"/> >>>>>> - <attribute name="custRequestName" mode="IN" type="String" >> optional="true" allow-html="safe"/> >>>>>> - <attribute name="story" mode="IN" type="String" >> optional="true" allow-html="safe"/> >>>>>> - <override name="content" allow-html="safe"/> >>>>>> + <attribute name="custRequestName" mode="IN" type="String" >> optional="true" allow-html="any"/> >>>>>> + <attribute name="story" mode="IN" type="String" >> optional="true" allow-html="any"/> >>>>>> + <override name="content" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <!-- custRequest content services --> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/party/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/party/servicedef/services.xml (original) >> +++ ofbiz/trunk/applications/party/servicedef/services.xml >>>>>> Mon Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. >>>>>> <attribute name="externalId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="statusId" type="String" mode="IN" >> optional="true"/> >>>>>> <override name="groupName" optional="false"/> >>>>>> - <override name="comments" allow-html="safe"/> >>>>>> + <override name="comments" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updatePartyGroup" engine="java" >> default-entity-name="PartyGroup" >>>>>> location="org.ofbiz.party.party.PartyServices" >> invoke="updatePartyGroup" auth="true"> >>>>>> @@ -133,7 +133,7 @@ under the License. >>>>>> <attribute name="preferredCurrencyUomId" type="String" >> mode="IN" optional="true"/> >>>>>> <attribute name="externalId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="statusId" type="String" mode="IN" >> optional="true"/> >>>>>> - <override name="comments" allow-html="safe"/> >>>>>> + <override name="comments" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="savePartyNameChange" engine="simple" >>>>>> @@ -379,7 +379,7 @@ under the License. >>>>>> <description>create a company/contact relationship and add the >> related roles</description> >>>>>> <attribute name="accountPartyId" type="String" mode="IN"/> >>>>>> <attribute name="contactPartyId" type="String" mode="IN"/> >>>>>> - <attribute name="comments" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="comments" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <!-- ContactMech services --> >>>>>> @@ -768,9 +768,9 @@ under the License. >>>>>> <attribute name="custRequestId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="action" type="String" mode="IN" >> optional="true"/><!-- to indicate any special action like: REPLY, >>>>>> REPLYALL, FORWARD or empty for no special action--> <override >> name="headerString" allow-html="any"/> >>>>>> - <override name="content" allow-html="safe"/> >>>>>> - <override name="messageId" allow-html="safe"/> >>>>>> - <override name="subject" allow-html="safe"/> >>>>>> + <override name="content" allow-html="any"/> >>>>>> + <override name="messageId" allow-html="any"/> >>>>>> + <override name="subject" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createCommunicationEvent" engine="simple" >>>>>> location="component://party/script/org/ofbiz/party/ >> communication/CommunicationEventServices.xml" >>>>>> invoke="createCommunicationEventWithPermission" auth="true"> @@ >> -792,9 +792,9 @@ under the License. >>>>>> <auto-attributes entity-name="CommunicationEvent" >> include="nonpk" mode="IN" optional="true"/> >>>>>> <attribute name="contactMechPurposeTypeIdFrom" type="String" >> mode="IN" optional="true"><description>Set a specific >>>>>> purpose for the originator email</description></attribute> >> <attribute name="oldStatusId" type="String" mode="OUT" >>>>>> optional="true"/> >>>>>> - <override name="messageId" allow-html="safe"/> >>>>>> - <override name="content" allow-html="safe"/> >>>>>> - <override name="subject" allow-html="safe"/> >>>>>> + <override name="messageId" allow-html="any"/> >>>>>> + <override name="content" allow-html="any"/> >>>>>> + <override name="subject" allow-html="any"/> >>>>>> </service> >>>>>> <service name="deleteCommunicationEvent" engine="simple" >>>>>> location="component://party/script/org/ofbiz/party/ >> communication/CommunicationEventServices.xml" >>>>>> invoke="deleteCommunicationEvent" auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/product/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/servicedef/services.xml?rev=1536324&r1=1536323&r2= >> 1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/product/servicedef/services.xml (original) >> +++ >>>>>> ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 >> 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. >>>>>> <exclude field-name="lastModifiedDate"/> >>>>>> <exclude field-name="lastModifiedByUserLogin"/> >>>>>> </auto-attributes> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> - <override name="longDescription" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> + <override name="longDescription" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createProduct" default-entity-name="Product" >> engine="simple" >>>>>> location="component://product/ >> script/org/ofbiz/product/product/ProductServices.xml" >> invoke="createProduct" >>>>>> auth="true"> @@ -70,8 +70,8 @@ under the License. >>>>>> <attribute name="oldProductId" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="newInternalName" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="newProductName" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="newDescription" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> - <attribute name="newLongDescription" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="newDescription" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> + <attribute name="newLongDescription" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="duplicatePrices" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="duplicateIDs" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="duplicateContent" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -392,7 +392,7 @@ under the License. >>>>>> <auto-attributes mode="IN" entity-name="Content" >> optional="true"/> >>>>>> <attribute name="subject" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="plainBody" type="String" mode="IN" >> optional="false"/> >>>>>> - <attribute name="htmlBody" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="htmlBody" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <override name="contentId" optional="true" mode="INOUT"/> >>>>>> </service> >>>>>> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" >> engine="simple" >>>>>> @@ -405,7 +405,7 @@ under the License. >>>>>> <attribute name="plainBodyDataResourceId" type="String" >> mode="IN" optional="true"/> >>>>>> <attribute name="plainBody" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="htmlBodyDataResourceId" type="String" >> mode="IN" optional="true"/> >>>>>> - <attribute name="htmlBody" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="htmlBody" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createDownloadContentForProduct" >> default-entity-name="ProductContent" engine="simple" >>>>>> location="component://product/script/org/ofbiz/product/ >> product/ProductContentServices.xml" >>>>>> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 >> +431,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes entity-name="Content" include="nonpk" >> mode="IN" optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <override name="contentId" optional="true"/> >>>>>> <override name="fromDate" optional="true"/> >>>>>> </service> >>>>>> @@ -441,13 +441,13 @@ under the License. >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes mode="IN" entity-name="Content" >> optional="true"/> >>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="createSimpleTextContentForAlternateLocale" >> engine="simple" >>>>>> location="component://product/script/org/ofbiz/product/ >> product/ProductContentServices.xml" >>>>>> invoke="createSimpleTextContentForAlternateLocale"> >> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>>>> <attribute name="mainContentId" type="String" mode="IN" >> optional="false"/> - <attribute name="text" type="String" >>>>>> mode="IN" optional="false" allow-html="safe"/> + <attribute >> name="text" type="String" mode="IN" optional="false" >>>>>> allow-html="any"/> <override name="localeString" >> optional="false"/> >>>>>> <override name="contentId" mode="INOUT"/> >>>>>> </service> >>>>>> @@ -967,7 +967,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes entity-name="Content" include="nonpk" >> mode="IN" optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <override name="contentId" optional="true"/> >>>>>> <override name="fromDate" optional="true"/> >>>>>> </service> >>>>>> @@ -977,7 +977,7 @@ under the License. >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes entity-name="Content" include="nonpk" >> mode="IN" optional="true"/> >>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="updateContentSEOForCategory" engine="simple" >>>>>> @@ -1201,7 +1201,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes mode="IN" entity-name="Content" >> optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="false" allow-html="any"/> >>>>>> <override name="contentId" optional="true"/> >>>>>> </service> >>>>>> <service name="updateSimpleTextContentForProductConfigItem" >> default-entity-name="ProdConfItemContent" engine="simple" >>>>>> @@ -1210,7 +1210,7 @@ under the License. >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <auto-attributes mode="IN" entity-name="Content" >> optional="true"/> >>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="text" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> </service> >>>>>> <service name="getProductFeaturesByType" engine="java" >>>>>> location="org.ofbiz.product.feature.ProductFeatureServices" >> invoke="getProductFeaturesByType"> >>>>>> Modified: ofbiz/trunk/applications/product/servicedef/services_ >> pricepromo.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> product/servicedef/services_pricepromo.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >> Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the >>>>>> License. <exclude field-name="lastModifiedByUserLogin"/> >>>>>> </auto-attributes> >>>>>> <override name="promoName" optional="false"/> >>>>>> - <override name="promoText" allow-html="safe"/> >>>>>> + <override name="promoText" allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateProductPromo" default-entity-name="ProductPromo" >> engine="simple" >>>>>> location="component://product/ >> script/org/ofbiz/product/promo/PromoServices.xml" >> invoke="updateProductPromo" >>>>>> auth="true"> @@ -150,7 +150,7 @@ under the License. >>>>>> <exclude field-name="lastModifiedDate"/> >>>>>> <exclude field-name="lastModifiedByUserLogin"/> >>>>>> </auto-attributes> >>>>>> - <override name="promoText" allow-html="safe"/> >>>>>> + <override name="promoText" allow-html="any"/> >>>>>> </service> >>>>>> <service name="deleteProductPromo" default-entity-name="ProductPromo" >> engine="simple" >>>>>> location="component://product/ >> script/org/ofbiz/product/promo/PromoServices.xml" >> invoke="deleteProductPromo" >>>>>> auth="true"> >>>>>> >>>>>> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >> workeffort/servicedef/services.xml?rev=1536324&r1= >> 1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >> (original) +++ >>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct >> 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. >>>>>> <exclude field-name="lastModifiedDate"/> >>>>>> <exclude field-name="lastModifiedByUserLogin"/> >>>>>> </auto-attributes> >>>>>> - <override name="workEffortName" allow-html="safe"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="workEffortName" allow-html="any"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createWorkEffort" default-entity-name="WorkEffort" >> engine="simple" >>>>>> location="component://workeffort/script/org/ofbiz/ >> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. >>>>>> <attribute name="communicationEventId" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/><!-- for notification services --> >>>>>> <override name="workEffortTypeId" optional="false"/> >>>>>> - <override name="workEffortName" optional="false" >> allow-html="safe"/> >>>>>> + <override name="workEffortName" optional="false" >> allow-html="any"/> >>>>>> <override name="currentStatusId" optional="false"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="createWorkEffortAndPartyAssign" >> default-entity-name="WorkEffort" engine="simple" >>>>>> location="component://workeffort/script/org/ofbiz/ >> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under >> the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false" >> entity-name="CustRequestWorkEffort"/> >>>>>> <auto-attributes include="all" mode="IN" optional="true" >> entity-name="CustRequest"/> >>>>>> <override name="custRequestId" optional="true" mode="INOUT"/> >>>>>> - <override name="description" allow-html="safe"/> >>>>>> + <override name="description" allow-html="any"/> >>>>>> </service> >>>>>> <service name="deleteWorkEffortRequest" engine="simple" >>>>>> location="component://workeffort/script/org/ofbiz/ >> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a >> CustRequestWorkEffort</description> >>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ >> servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ >> ofbiz/trunk/framework/common/servicedef/services.xml Mon >>>>>> Oct 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. >>>>>> <description>Create a new note record</description> >>>>>> <attribute name="partyId" type="String" mode="INOUT" >> optional="true"/> >>>>>> <attribute name="noteName" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="note" type="String" mode="IN" >> allow-html="safe"/> >>>>>> + <attribute name="note" type="String" mode="IN" >> allow-html="any"/> >>>>>> <attribute name="noteId" type="String" mode="OUT"/> >>>>>> </service> >>>>>> >>>>>> @@ -72,7 +72,7 @@ under the License. >>>>>> <description>Update a note record</description> >>>>>> <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> - <override name="noteInfo" allow-html="safe"/> >>>>>> + <override name="noteInfo" allow-html="any"/> >>>>>> </service> >>>>>> >>>>>> <service name="adjustDebugLevels" engine="java" >>>>>> @@ -109,7 +109,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="OUT" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <override name="enumTypeId" optional="false"/> >>>>>> - <override name="description" optional="false" >> allow-html="safe"/> >>>>>> + <override name="description" optional="false" >> allow-html="any"/> >>>>>> </service> >>>>>> <service name="updateEnumeration" default-entity-name="Enumeration" >> engine="simple" >>>>>> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" >> invoke="updateEnumeration" auth="true"> >>>>>> @@ -118,7 +118,7 @@ under the License. >>>>>> <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>> <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>> <override name="enumTypeId" optional="false"/> >>>>>> - <override name="description" optional="false" >> allow-html="safe"/> >>>>>> + <override name="description" optional="false" >> allow-html="any"/> >>>>>> </service> >>>>>> <service name="deleteEnumeration" default-entity-name="Enumeration" >> engine="entity-auto" invoke="delete" auth="true"> >>>>>> <description>Delete a Enumeration</description> >>>>>> >>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ >> servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml >> (original) +++ >>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct >> 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. >>>>>> <attribute name="sendFailureNotification" mode="IN" >> type="Boolean" optional="true"/> >>>>>> <attribute name="sendPartial" mode="IN" type="Boolean" >> optional="true"/> >>>>>> <attribute name="startTLSEnabled" mode="IN" type="Boolean" >> optional="true"/> >>>>>> - <attribute name="subject" type="String" mode="INOUT" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="subject" type="String" mode="INOUT" >> optional="true" allow-html="any"/> >>>>>> <attribute name="contentType" type="String" mode="INOUT" >> optional="true"/> >>>>>> <attribute name="partyId" type="String" mode="INOUT" >> optional="true"/> >>>>>> <attribute name="messageId" type="String" mode="INOUT" >> optional="true"/> >>>>>> @@ -56,7 +56,7 @@ under the License. >>>>>> <service name="sendMailOnePartInterface" engine="interface" >> location="" invoke=""> >>>>>> <description>Interface service for sendMail* >> services.</description> >>>>>> <implements service="sendMailInterface"/> >>>>>> - <attribute name="body" type="String" mode="INOUT" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="body" type="String" mode="INOUT" >> optional="false" allow-html="any"/> >>>>>> <override name="contentType" mode="INOUT"/> >>>>>> <override name="subject" mode="INOUT" optional="false"/> >>>>>> <override name="emailType" type="String" mode="INOUT" >> optional="true"/> >>>>>> @@ -98,12 +98,12 @@ under the License. >>>>>> <implements service="sendMailInterface"/> >>>>>> <attribute name="bodyUrl" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="bodyUrlParameters" type="Map" mode="IN" >> optional="true"/> >>>>>> - <attribute name="body" type="String" mode="OUT" >> optional="false" allow-html="safe"/> >>>>>> + <attribute name="body" type="String" mode="OUT" >> optional="false" allow-html="any"/> >>>>>> </service> >>>>>> <service name="sendMailFromScreenInterface" engine="interface" >> location="" invoke=""> >>>>>> <description>Interface service for E-Mail sent From Screen >> Widget</description> >>>>>> <implements service="sendMailInterface"/> >>>>>> - <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="bodyScreenUri" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="xslfoAttachScreenLocation" type="String" >> mode="IN" optional="true"/> >>>>>> <attribute name="attachmentName" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -132,7 +132,7 @@ under the License. >>>>>> <implements service="sendMailInterface"/> >>>>>> <attribute name="emailTemplateSettingId" type="String" >> mode="IN" optional="false"/> >>>>>> <attribute name="partyIdTo" type="String" mode="IN" >> optional="true"/> >>>>>> - <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="bodyText" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="attachmentName" type="String" mode="IN" >> optional="true"/> >>>>>> <attribute name="bodyParameters" type="Map" mode="IN" >> optional="true"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -143,8 +143,8 @@ under the License. >>>>>> location="" invoke=""> >>>>>> <description>Send Template Based Notification >> Service</description> >>>>>> <implements service="sendMailInterface"/> >>>>>> - <attribute name="body" type="String" mode="INOUT" >> optional="true" allow-html="safe"/> >>>>>> - <attribute name="baseUrl" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="body" type="String" mode="INOUT" >> optional="true" allow-html="any"/> >>>>>> + <attribute name="baseUrl" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="templateName" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="templateData" type="Map" mode="IN" >> optional="true"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/> >>>>>> @@ -153,7 +153,7 @@ under the License. >>>>>> location="" invoke=""> >>>>>> <description>Send Template Based Notification >> Service</description> >>>>>> <implements service="prepareNotificationInterface"/> >>>>>> - <attribute name="body" type="String" mode="IN" >> optional="true" allow-html="safe"/> >>>>>> + <attribute name="body" type="String" mode="IN" >> optional="true" allow-html="any"/> >>>>>> <attribute name="templateName" type="String" mode="IN" >> optional="false"/> >>>>>> <attribute name="templateData" type="Map" mode="IN" >> optional="true"/> >>>>>> <attribute name="webSiteId" type="String" mode="IN" >> optional="true"/> >>>>>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd >>>>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ >> dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>> ============================================================ >> ================== >>>>>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) >>>>>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 >> 12:12:43 2013 >>>>>> @@ -106,6 +106,7 @@ under the License. >>>>>> If set to true and there is a transaction already >> in place the Service Engine will suspend that transaction, >>>>>> begin a new one just for this service, commit or >> rollback the local transaction when the service is >>>>>> complete, and will resume the original >> transaction. If set to true and there is no transaction already in >>>>>> place it will just begin a transaction and manage it as would be done >> for a normal user-transaction=true. If >>>>>> use-transaction=false this setting is ignored. + >> Beware: using require-new-transaction=true >>>>>> in a service called (maybe not directly) by a pre-invoke >> or earlier event ( preprocessor, firstvisit and so on) is >>>>>> not yet supported. </xs:documentation> </xs:annotation> >> <xs:simpleType> >>>>>> @@ -348,11 +349,18 @@ under the License. >>>>>> </xs:simpleType> >>>>>> </xs:attribute> >>>>>> <xs:attribute name="allow-html" use="optional" default="none"> >>>>>> - <xs:annotation><xs:documentation>See the documentation >> on the allow-html attribute of the "attribute" >>>>>> element.</xs:documentation></xs:annotation> + >> <xs:annotation> >>>>>> + <xs:documentation> >>>>>> + Applies only to String fields. >>>>>> + Only checked for incoming parameters/attributes >> (could change in the future, but this is meant for >>>>>> validating input from users, other systems, etc). + >> Defaults to "none" meaning no HTML is allowed (will >>>>>> result in an error message). + If some HTML is >> desired then use "any". >>>>>> + There was previously "safe" but it's deprecated >>>>>> + </xs:documentation> >>>>>> + </xs:annotation> >>>>>> <xs:simpleType> >>>>>> <xs:restriction base="xs:token"> >>>>>> <xs:enumeration value="any"/> >>>>>> - <xs:enumeration value="safe"/> >>>>>> <xs:enumeration value="none"/> >>>>>> </xs:restriction> >>>>>> </xs:simpleType> >>>>>> @@ -424,13 +432,12 @@ under the License. >>>>>> Applies only to String fields. >>>>>> Only checked for incoming parameters/attributes (could >> change in the future, but this is meant for validating >>>>>> input from users, other systems, etc). Defaults to >> "none" meaning no HTML is allowed (will result in an error >>>>>> message). >>>>>> - If some HTML is desired then use "safe" which will >> follow the rules in the antisamy-esapi.xml file. This >>>>>> should be safe for both internal and public users. >>>>>> - In rare cases when users are trusted or it is not a >> sensitive field the "any" option may be used to not check >>>>>> the HTML content at all. + If some HTML is desired >> then use "any". >>>>>> + There was previously "safe" but it's deprecated >>>>>> </xs:documentation></xs:annotation> >>>>>> <xs:simpleType> >>>>>> <xs:restriction base="xs:token"> >>>>>> <xs:enumeration value="any"/> >>>>>> - <xs:enumeration value="safe"/> >>>>>> <xs:enumeration value="none"/> >>>>>> </xs:restriction> >>>>>> </xs:simpleType> >>>>>> @@ -477,11 +484,18 @@ under the License. >>>>>> </xs:simpleType> >>>>>> </xs:attribute> >>>>>> <xs:attribute name="allow-html" use="optional"> >>>>>> - <xs:annotation><xs:documentation>See the documentation >> on the allow-html attribute of the "attribute" element. >>>>>> Note that it is slightly different here as there is no >> defualt.</xs:documentation></xs:annotation> + <xs:annotation> >>>>>> + <xs:documentation> >>>>>> + Applies only to String fields. >>>>>> + Only checked for incoming parameters/attributes >> (could change in the future, but this is meant for >>>>>> validating input from users, other systems, etc). + >> There is no default, "none" means no HTML is allowed >>>>>> (will result in an error message). + If some HTML >> is desired then use "any". >>>>>> + There was previously "safe" but it's deprecated >>>>>> + </xs:documentation> >>>>>> + </xs:annotation> >>>>>> <xs:simpleType> >>>>>> <xs:restriction base="xs:token"> >>>>>> <xs:enumeration value="any"/> >>>>>> - <xs:enumeration value="safe"/> >>>>>> <xs:enumeration value="none"/> >>>>>> </xs:restriction> >>>>>> </xs:simpleType> >>>>>> >>>>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ >> ModelService.java >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ >> src/org/ofbiz/service/ModelService.java?rev=1536324& >> r1=1536323&r2=1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >> (original) +++ >>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >> Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public >>>>>> class ModelService extends Abstra // required and type >> validation complete, do allow-html validation >>>>>> if ("IN".equals(mode)) { >>>>>> List<String> errorMessageList = FastList.newInstance(); >>>>>> - for (ModelParam modelParam: this.contextInfo.values()) { >>>>>> - if (context.get(modelParam.name) != null && >>>>>> - ("String".equals(modelParam.type) || >> "java.lang.String".equals(modelParam.type)) && >>>>>> - !"any".equals(modelParam.allowHtml) && >>>>>> - ("INOUT".equals(modelParam.mode) || >> "IN".equals(modelParam.mode))) { >>>>>> - // the param is a String, allow-html is none or >> safe, and we are looking at an IN parameter during input >>>>>> parameter validation + for (ModelParam modelParam : >> this.contextInfo.values()) { >>>>>> + // the param is a String, allow-html is not any, and >> we are looking at an IN parameter during input parameter >>>>>> validation + if (context.get(modelParam.name) != null >> && ("String".equals(modelParam.type) || >>>>>> "java.lang.String".equals(modelParam.type)) + >> && !"any".equals(modelParam.allowHtml) && >>>>>> ("INOUT".equals(modelParam.mode) || >> "IN".equals(modelParam.mode))) { String value = (String) >>>>>> context.get(modelParam.name); >>>>>> - if ("none".equals(modelParam.allowHtml)) { >>>>>> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, >> value, errorMessageList); >>>>>> - } else if ("safe".equals(modelParam.allowHtml)) >> { >>>>>> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, >> value, errorMessageList); >>>>>> - } >>>>>> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, >> value, errorMessageList); >>>>>> } >>>>>> } >>>>>> if (errorMessageList.size() > 0) { >>>>>> >>>>>> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services. >> xml >>>>>> URL: >>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ >> ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2= >> 1536324&view=diff >>>>>> ============================================================================== >> --- >>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >> (original) +++ >>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct >> 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. >>>>>> <attribute name="itemId" mode="IN" type="String" >> optional="false"/> >>>>>> <attribute name="listingType" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute name="title" mode="IN" type="String" >> optional="true"/> >>>>>> - <attribute name="description" mode="IN" type="String" >> allow-html="safe"/> >>>>>> + <attribute name="description" mode="IN" type="String" >> allow-html="any"/> >>>>>> <attribute name="price" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute name="currencyId" mode="IN" type="String" >> optional="true"/> >>>>>> <attribute mode="IN" name="imageData" optional="true" >> type="java.nio.ByteBuffer"/> >> |
Administrator
|
Hi,
If you want to test it's ready. I should commit in a week... All feedback is appreciated Jacques Le 15/05/2019 à 18:43, Jacques Le Roux a écrit : > Hi Scott, Jacopo, All, > > I have finally reopened OFBIZ-5254 as I propose a solution for this issue in a new patch. > > checkStringForHtmlSafeOnly() is still a WIP and can be improved, fortunately by using extendible policies > > Jacques > > Le 03/09/2016 à 11:27, Jacopo Cappellato a écrit : >> I am resurrecting this old thread, because I think that Scott's remarks and >> concerns to Jacques' commit were valid and the response of Jacques was not >> satisfactory: in fact the two tickets Jacques mentioned have been resolved >> but the issues that Scott identified in Jacques' commit are still there. >> We should consider reverting the commit but my post for now is as a >> reminder and to restart the conversation. >> >> Jacopo >> >> >> On Sat, Dec 28, 2013 at 12:54 AM, Jacques Le Roux < >> [hidden email]> wrote: >> >>> That's why https://issues.apache.org/jira/browse/OFBIZ-5254 is not >>> closed, just resolved as incomplete. In other word it's a temporary >>> unsatisfying solution. >>> The idea is to continue https://issues.apache.org/jira/browse/OFBIZ-5343 >>> All good wills are welcome >>> >>> Jacques >>> >>> On Friday, December 27, 2013 11:20 PM [hidden email] wrote >>>> "safe" should not have been deprecated. The input should have just been >>> cleansed as an interim measure until a better solution >>>> could be found. >>>> >>>> Regards >>>> Scott >>>> >>>> On 27/12/2013, at 9:37 PM, Jacques Le Roux wrote: >>>> >>>>> I agree, it's in my long TODO list... >>>>> >>>>> Jacques >>>>> >>>>> On Friday, December 27, 2013 8:43 PM [hidden email] wrote >>>>>> This is not a fix, the problem was that "safe" wasn't filtering unsafe >>> html or returning an error. Taking all "safe" input >>>>>> parameters and making them "any" because "safe" wasn't working as >>> intended is a bit silly to say the least. >>>>>> Regards >>>>>> Scott >>>>>> >>>>>> On 28/10/2013, at 12:12 PM, [hidden email] wrote: >>>>>> >>>>>>> Author: jleroux >>>>>>> Date: Mon Oct 28 12:12:43 2013 >>>>>>> New Revision: 1536324 >>>>>>> >>>>>>> URL: http://svn.apache.org/r1536324 >>>>>>> Log: >>>>>>> Fixes <<Services allow arbitrary HTML for parameters with allow-html >>> set to "safe">> >>>>>>> https://issues.apache.org/jira/browse/OFBIZ-5254 >>>>>>> >>>>>>> After r751990, <<allow-html="any">> and <<allow-html="safe">> are the >>> same: they do nothing! The only difference is the warning >>>>>>> message from the OWASP Antisamy IntrusionDetector, which is both, as >>> Christoph noted "giving you a false sense of security" or >>>>>>> as I wrote "disturbing, wrong and useless". So there are no longer >>> any reasons for differencing "safe" and "any". >>>>>>> This >>>>>>> * Deprecates "safe" (making it clear in the XSD documentation), >>> keeping only "none" and "any". This is for backward >>>>>>> compatibility, else we could completely remove the misleading "safe". >>> Note that "none" is the default. >>>>>>> * Replaces in services definition all allow-html="safe" by >>> allow-html="any" >>>>>>> * Remove from ModelService.java (near line 587) the code which throws >>> the OWASP Antisamy IntrusionDetector message in log >>>>>>> Modified: >>>>>>>   ofbiz/trunk/applications/accounting/servicedef/ >>> services_agreement.xml >>>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>>>>>> ofbiz/trunk/applications/content/servicedef/services.xml >>>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml >>>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml >>>>>>> ofbiz/trunk/applications/marketing/servicedef/services_ >>> opportunity.xml >>>>>>> ofbiz/trunk/applications/order/servicedef/services.xml >>>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >>>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml >>>>>>> ofbiz/trunk/applications/party/servicedef/services.xml >>>>>>> ofbiz/trunk/applications/product/servicedef/services.xml >>>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>>>>> ofbiz/trunk/framework/common/servicedef/services.xml >>>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml >>>>>>>   ofbiz/trunk/framework/service/dtd/services.xsd >>>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ >>> ModelService.java >>>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ >>> services_agreement.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> accounting/servicedef/services_agreement.xml?rev= >>> 1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml >>> Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the >>>>>>>        License. <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="CREATE"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="pk" mode="OUT" optional="true"/> >>>>>>> -       <override name="textData" allow-html="safe"/> >>>>>>> +       <override name="textData" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateAgreement" default-entity-name="Agreement" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the >>> License. >>>>>>>        <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="UPDATE"/> >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="textData" allow-html="safe"/> >>>>>>> +       <override name="textData" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="cancelAgreement" default-entity-name="Agreement" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the >>> License. >>>>>>>        <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="CREATE"/> >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="agreementText" allow-html="safe"/> >>>>>>> +       <override name="agreementText" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateAgreementItem" default-entity-name="AgreementItem" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the >>> License. >>>>>>>        <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="UPDATE"/> >>>>>>>        <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="agreementText" allow-html="safe"/> >>>>>>> +       <override name="agreementText" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="removeAgreementItem" default-entity-name="AgreementItem" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the >>> License. >>>>>>>        <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="CREATE"/> >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="textValue" allow-html="safe"/> >>>>>>> +       <override name="textValue" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateAgreementTerm" default-entity-name="AgreementTerm" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the >>> License. >>>>>>>        <permission-service service-name="acctgAgreementPermissionCheck" >>> main-action="UPDATE"/> >>>>>>>        <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="textValue" allow-html="safe"/> >>>>>>> +       <override name="textValue" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" >>> engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/agreement/AgreementServices.xml" >>>>>>> invoke="deleteAgreementTerm" auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/accounting/servicedef/ >>> services_invoice.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> accounting/servicedef/services_invoice.xml?rev= >>> 1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml >>> Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the >>>>>>>        License. <override name="invoiceTypeId" mode="IN" >>> optional="false"/> >>>>>>>        <override name="partyIdFrom" mode = "IN" optional="false"/> >>>>>>>        <override name="partyId" mode = "IN" optional="false"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="invoiceMessage" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="invoiceMessage" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="copyInvoice" engine="simple" >>> default-entity-name="Invoice" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> >>>>>>> @@ -80,8 +80,8 @@ under the License. >>>>>>>        <permission-service service-name="acctgInvoicePermissionCheck" >>> main-action="UPDATE"/> >>>>>>>        <auto-attributes mode="IN" include="pk" optional="false"/> >>>>>>>        <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="invoiceMessage" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="invoiceMessage" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="setInvoiceStatus" engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> >>>>>>> @@ -117,7 +117,7 @@ under the License. >>>>>>>        <auto-attributes mode="IN" include="pk" optional="false"/> >>>>>>>        <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>>>        <override name="invoiceItemSeqId" mode="INOUT" >>> optional="true"/><!-- will optionally be assigned by the system --> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateInvoiceItem" engine="simple" >>> default-entity-name="InvoiceItem" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> >>>>>>> @@ -125,7 +125,7 @@ under the License. >>>>>>>        <permission-service service-name="acctgInvoicePermissionCheck" >>> main-action="UPDATE"/> >>>>>>>        <auto-attributes mode="INOUT" include="pk" optional="false"/> >>>>>>>        <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="removeInvoiceItem" engine="simple" >>> default-entity-name="InvoiceItem" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> >>>>>>> @@ -276,7 +276,7 @@ under the License. >>>>>>>        <attribute name="sendTo" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="sendCc" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="subject" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="other" type="String" mode="IN" >>> optional="true"/><!-- to send the invoice in the 'other' currency (y) >>>>>>>    --> </service> >>>>>>>    <service name="checkInvoicePaymentApplications" engine="java" >>>>>>> @@ -412,7 +412,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes entity-name="Content" include="nonpk" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <override name="contentId" optional="true"/> >>>>>>>        <override name="fromDate" optional="true"/> >>>>>>>    </service> >>>>>>> @@ -422,7 +422,7 @@ under the License. >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes mode="IN" entity-name="Content" >>> optional="true"/> >>>>>>>        <attribute name="textDataResourceId" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="isInvoiceInForeignCurrency" engine="simple" >>>>>>> location="component://accounting/script/org/ofbiz/ >>> accounting/invoice/InvoiceServices.xml" >>>>>>> invoke="isInvoiceInForeignCurrency" auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> content/servicedef/services.xml?rev=1536324&r1=1536323&r2= >>> 1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/content/servicedef/services.xml (original) >>> +++ >>>>>>> ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 >>> 12:12:43 2013 @@ -291,12 +291,12 @@ >>>>>>>    <service name="createSimpleTextContent" engine="simple" >>>>>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" >>> invoke="createSimpleTextContent"> >>>>>>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - >>>       <attribute name="text" type="String" mode="IN" >>>>>>> optional="false" allow-html="safe"/> +       <attribute name="text" >>> type="String" mode="IN" optional="false" >>>>>>>        allow-html="any"/> <override name="contentId" mode="INOUT"/> >>>>>>>    </service> >>>>>>>    <service name="updateSimpleTextContent" engine="simple" >>>>>>> location="component://content/script/org/ofbiz/content/content/ContentServices.xml" >>> invoke="updateSimpleTextContent"> >>>>>>> <attribute name="textDataResourceId" type="String" mode="IN" >>> optional="true"/> -       <attribute name="text" type="String" >>>>>>> mode="IN" optional="true" allow-html="safe"/> +       <attribute >>> name="text" type="String" mode="IN" optional="true" >>>>>>>    allow-html="any"/> </service> >>>>>>> >>>>>>>    <!-- Util --> >>>>>>> @@ -452,7 +452,7 @@ >>>>>>>        <attribute mode="IN" name="forceElectronicText" >>> optional="true" type="String"/> >>>>>>>        <attribute mode="IN" name="displayFailCond" optional="true" >>> type="Boolean"/> >>>>>>>        <attribute mode="INOUT" name="roleTypeList" optional="true" >>> type="List"/> >>>>>>> -       <override name="textData" allow-html="safe"/> >>>>>>> +       <override name="textData" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="persistDataResourceAndData" engine="java" >>>>>>> @@ -1052,8 +1052,8 @@ >>>>>>>        <attribute name="statusId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="description" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="templateDataResourceId" type="String" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="articleData" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> -       <attribute name="summaryData" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="articleData" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>> +       <attribute name="summaryData" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateBlogEntry" engine="simple" auth="true" >>>>>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" >>> invoke="updateBlogEntry"> >>>>>>> @@ -1065,8 +1065,8 @@ >>>>>>>        <attribute name="statusId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="description" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="templateDataResourceId" type="String" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="articleData" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> -       <attribute name="summaryData" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="articleData" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>> +       <attribute name="summaryData" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="getBlogEntry" engine="simple" auth="true" >>>>>>> location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" >>> invoke="getBlogEntry"> >>>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ >>> content.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> content/servicedef/services_content.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/content/servicedef/services_content.xml Mon >>> Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ >>>>>>>        <attribute name="fromDate" type="Timestamp" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="sequenceNum" type="Long" mode="IN" >>> optional="true"/> >>>>>>>        <override name="contentTypeId" default-value="DOCUMENT"/> >>>>>>> -       <override name="contentName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="contentName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="createTextAndUploadedContent" engine="simple" >>> auth="true" >>>>>>> @@ -131,8 +131,8 @@ >>>>>>>        <attribute mode="IN" name="displayFailCond" optional="true" >>> type="Boolean"/> >>>>>>>        <attribute mode="INOUT" name="roleTypeList" optional="true" >>> type="List"/> >>>>>>>        <!-- end of depricated fields --> >>>>>>> -       <override name="contentName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="contentName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="updateTextContent" engine="group" auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/content/servicedef/services_ >>> data.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> content/servicedef/services_data.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/content/servicedef/services_data.xml Mon >>> Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ >>>>>>>        <attribute name="dataResourceId" type="String" mode="OUT" >>> optional="false"/> >>>>>>>        <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" >>> mode="OUT" optional="true"/> >>>>>>>        <attribute name="uploadedFile" type="java.nio.ByteBuffer" >>> mode="IN" optional="true"/> >>>>>>> -       <override name="objectInfo" allow-html="safe"/> >>>>>>> -       <override name="dataResourceName" allow-html="safe"/> >>>>>>> +       <override name="objectInfo" allow-html="any"/> >>>>>>> +       <override name="dataResourceName" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createDataResourceAndAssocToContent" >>> default-entity-name="DataResource" engine="simple" >>>>>>> location="component://content/ >>> script/org/ofbiz/content/data/DataServices.xml" >>>>>>> invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 >>> +59,8 @@ >>>>>>>        <attribute name="skipPermissionCheck" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="dataResourceId" type="String" mode="OUT" >>> optional="false"/> >>>>>>>        <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" >>> mode="OUT" optional="true"/> >>>>>>> -       <override name="objectInfo" allow-html="safe"/> >>>>>>> -       <override name="dataResourceName" allow-html="safe"/> >>>>>>> +       <override name="objectInfo" allow-html="any"/> >>>>>>> +       <override name="dataResourceName" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="removeDataResource" engine="simple" >>> default-entity-name="DataResource" auth="true" >>>>>>> location="component://content/ >>> script/org/ofbiz/content/data/DataServices.xml" >>> invoke="deleteDataResource"> >>>>>>> @@ -90,7 +90,7 @@ >>>>>>>        <description>Create a DataResource and, possibly, >>> ElectronicText or ImageDataResource</description> >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <attribute name="textData" mode="IN" optional="true" >>> type="String" allow-html="safe"/> >>>>>>> +       <attribute name="textData" mode="IN" optional="true" >>> type="String" allow-html="any"/> >>>>>>>        <attribute name="targetOperationList" type="List" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="contentPurposeList" type="List" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="skipPermissionCheck" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -100,7 +100,7 @@ >>>>>>>        <description>Create a DataResource and, possibly, >>> ElectronicText or ImageDataResource</description> >>>>>>>        <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <attribute name="textData" mode="IN" type="String" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="textData" mode="IN" type="String" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="targetOperationList" type="List" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="contentPurposeList" type="List" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="skipPermissionCheck" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -115,7 +115,7 @@ >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <override name="dataResourceTypeId" default-value="ELECTRONIC_ >>> TEXT"/> >>>>>>> -       <override name="textData" allow-html="safe"/> >>>>>>> +       <override name="textData" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateElectronicText" default-entity-name="ElectronicText" >>> engine="simple" >>>>>>> location="component://content/ >>> script/org/ofbiz/content/data/DataServices.xml" >>> invoke="updateElectronicText" >>>>>>> auth="true"> @@ -124,7 +124,7 @@ >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <attribute name="contentId" mode="INOUT" optional="true" >>> type="String"/><!-- to optionaly know where this text is >>>>>>> belonging to --> - <override name="textData" >>> allow-html="safe"/> >>>>>>> +       <override name="textData" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="removeElectronicText" default-entity-name="ElectronicText" >>> engine="simple" >>>>>>> location="component://content/ >>> script/org/ofbiz/content/data/DataServices.xml" >>> invoke="removeElectronicText" >>>>>>> auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/marketing/servicedef/services_ >>> opportunity.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> marketing/servicedef/services_opportunity.xml?rev=1536324& >>> r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml >>> Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the >>>>>>>        License. </auto-attributes> >>>>>>>        <attribute name="accountPartyId" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute name="leadPartyId" mode="IN" type="String" >>> optional="true"/> >>>>>>> -       <override name="opportunityName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="nextStep" allow-html="safe"/> >>>>>>> +       <override name="opportunityName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="nextStep" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateSalesOpportunity" engine="simple" >>> default-entity-name="SalesOpportunity" >>>>>>> location="component://order/script/org/ofbiz/order/ >>> opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> >>>>>>> @@ -89,9 +89,9 @@ under the License. >>>>>>>        <auto-attributes mode="IN" include="nonpk" optional="true"/> >>>>>>>        <attribute name="accountPartyId" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute name="leadPartyId" mode="IN" type="String" >>> optional="true"/> >>>>>>> -       <override name="opportunityName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="nextStep" allow-html="safe"/> >>>>>>> +       <override name="opportunityName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="nextStep" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createSalesOpportunityRole" engine="simple" >>> default-entity-name="SalesOpportunityRole" >>>>>>> location="component://order/script/org/ofbiz/order/ >>> opportunity/OpportunityServices.xml" >>>>>>> invoke="createSalesOpportunityRole"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/order/servicedef/services.xml (original) >>> +++ ofbiz/trunk/applications/order/servicedef/services.xml >>>>>>> Mon Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. >>>>>>> location="org.ofbiz.order.order.OrderServices" >>> invoke="createOrderNote" auth="true"> >>>>>>> <description>Create a note item and associate with a order >>> header</description> >>>>>>>        <attribute name="orderId" type="String" mode="IN"/> >>>>>>> -       <attribute name="note" type="String" mode="IN" >>> allow-html="safe"/> >>>>>>> +       <attribute name="note" type="String" mode="IN" >>> allow-html="any"/> >>>>>>>        <attribute name="internalNote" type="String" mode="IN"/> >>>>>>>        <attribute name="noteName" type="String" mode="IN" >>> optional="true"/> >>>>>>>    </service> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ >>> quote.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> order/servicedef/services_quote.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct >>> 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. >>>>>>> location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" >>> invoke="createQuoteNote" auth="true"> >>>>>>> <description>Create a note item and associate with a >>> quote</description> >>>>>>>        <attribute name="quoteId" type="String" mode="IN"/> >>>>>>> -       <attribute name="noteInfo" type="String" mode="IN" >>> allow-html="safe"/> >>>>>>> +       <attribute name="noteInfo" type="String" mode="IN" >>> allow-html="any"/> >>>>>>>        <attribute name="noteName" type="String" mode="IN" >>> optional="true"/> >>>>>>>    </service> >>>>>>> </services> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/order/servicedef/services_ >>> request.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> order/servicedef/services_request.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/order/servicedef/services_request.xml Mon >>> Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="all" mode="IN" >>> entity-name="CustRequestItem" optional="true"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/><!-- for notification services --> >>>>>>> -       <override name="custRequestName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="story" allow-html="safe"/> >>>>>>> +       <override name="custRequestName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="story" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateCustRequest" engine="simple" >>> default-entity-name="CustRequest" >>>>>>> location="component://order/script/org/ofbiz/order/ >>> request/CustRequestServices.xml" invoke="updateCustRequest" >>>>>>> auth="true"> @@ -52,10 +52,10 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <attribute name="oldStatusId" type="String" mode="OUT"/> >>>>>>> -       <attribute name="story" mode="IN" type="String" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="story" mode="IN" type="String" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/><!-- for notification services --> >>>>>>> -       <override name="custRequestName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="custRequestName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="deleteCustRequest" engine="simple" >>> default-entity-name="CustRequest" >>>>>>> @@ -86,16 +86,16 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <override name="custRequestItemSeqId" optional="true"/> >>>>>>> -       <override name="story" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="story" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateCustRequestItem" engine="simple" >>> default-entity-name="CustRequestItem" >>>>>>> location="component://order/script/org/ofbiz/order/ >>> request/CustRequestServices.xml" invoke="updateCustRequestItem" >>>>>>>        auth="true"> <description>Update a CustRequestItem >>> record</description> >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="story" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="story" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="copyCustRequestItem" default-entity-name="CustRequestItem" >>> engine="simple" >>>>>>> location="component://order/script/org/ofbiz/order/ >>> request/CustRequestServices.xml" invoke="copyCustRequestItem" >>>>>>> auth="true"> @@ -129,7 +129,7 @@ under the License. >>>>>>> location="component://order/script/org/ofbiz/order/ >>> request/CustRequestServices.xml" invoke="createCustRequestNote" >>>>>>>        auth="true"> <description>Create a note for a >>> CustRequest</description> >>>>>>>        <attribute name="custRequestId" type="String" mode="IN" >>> optional="false"/> >>>>>>> -       <attribute name="noteInfo" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="noteInfo" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <attribute name="noteId" type="String" mode="OUT" >>> optional="false"/> >>>>>>>        <attribute name="fromPartyId" type="String" mode="OUT" >>> optional="true"/><!-- party to be notified --> >>>>>>>        <attribute name="custRequestName" type="String" mode="OUT" >>> optional="true"/><!-- for notification services --> >>>>>>> @@ -138,7 +138,7 @@ under the License. >>>>>>> location="component://order/script/org/ofbiz/order/ >>> request/CustRequestServices.xml" invoke="updateCustRequestNote" >>>>>>>        auth="true"> <description>Update CustRequest Note</description> >>>>>>>        <attribute name="custRequestId" type="String" mode="IN" >>> optional="false"/> >>>>>>> -       <attribute name="noteId" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="noteId" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <attribute name="noteInfo" type="String" mode="IN" >>> optional="true"/> >>>>>>>    </service> >>>>>>>    <service name="createCustRequestItemNote" engine="simple" >>>>>>> @@ -146,7 +146,7 @@ under the License. >>>>>>>        <description>Create a note for a CustRequestItem</description> >>>>>>>        <attribute name="custRequestId" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="custRequestItemSeqId" type="String" mode="IN" >>> optional="false"/> >>>>>>> -       <attribute name="note" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="note" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <attribute name="noteId" type="String" mode="OUT" >>> optional="false"/> >>>>>>>        <attribute name="partyId" type="String" mode="INOUT" >>> optional="true"/><!-- party who created the note --> >>>>>>>        <attribute name="fromPartyId" type="String" mode="OUT" >>> optional="true"/><!-- party to be notified --> >>>>>>> @@ -178,7 +178,7 @@ under the License. >>>>>>>        <description>Set the Customer Request Status</description> >>>>>>>        <attribute name="custRequestId" type="String" mode="INOUT" >>> optional="false"/> >>>>>>>        <attribute name="statusId" type="String" mode="IN" >>> optional="false"/> >>>>>>> -       <attribute name="reason" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="reason" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="oldStatusId" type="String" mode="OUT" >>> optional="true"/> >>>>>>>        <attribute name="fromPartyId" type="String" mode="OUT" >>> optional="true"/><!-- for notification services --> >>>>>>>        <attribute name="custRequestName" type="String" mode="OUT" >>> optional="true"/><!-- for notification services --> >>>>>>> @@ -192,9 +192,9 @@ under the License. >>>>>>>        <attribute name="custRequestId" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute name="custRequestId" mode="OUT" type="String" >>> optional="false"/> >>>>>>>        <attribute name="custRequestTypeId" mode="IN" type="String" >>> optional="true"/> >>>>>>> -       <attribute name="custRequestName" mode="IN" type="String" >>> optional="true" allow-html="safe"/> >>>>>>> -       <attribute name="story" mode="IN" type="String" >>> optional="true" allow-html="safe"/> >>>>>>> -       <override name="content" allow-html="safe"/> >>>>>>> +       <attribute name="custRequestName" mode="IN" type="String" >>> optional="true" allow-html="any"/> >>>>>>> +       <attribute name="story" mode="IN" type="String" >>> optional="true" allow-html="any"/> >>>>>>> +       <override name="content" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <!-- custRequest content services --> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/party/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/party/servicedef/services.xml (original) >>> +++ ofbiz/trunk/applications/party/servicedef/services.xml >>>>>>> Mon Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. >>>>>>>        <attribute name="externalId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="statusId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <override name="groupName" optional="false"/> >>>>>>> -       <override name="comments" allow-html="safe"/> >>>>>>> +       <override name="comments" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updatePartyGroup" engine="java" >>> default-entity-name="PartyGroup" >>>>>>> location="org.ofbiz.party.party.PartyServices" >>> invoke="updatePartyGroup" auth="true"> >>>>>>> @@ -133,7 +133,7 @@ under the License. >>>>>>>        <attribute name="preferredCurrencyUomId" type="String" >>> mode="IN" optional="true"/> >>>>>>>        <attribute name="externalId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="statusId" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <override name="comments" allow-html="safe"/> >>>>>>> +       <override name="comments" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="savePartyNameChange" engine="simple" >>>>>>> @@ -379,7 +379,7 @@ under the License. >>>>>>>        <description>create a company/contact relationship and add the >>> related roles</description> >>>>>>>        <attribute name="accountPartyId" type="String" mode="IN"/> >>>>>>>        <attribute name="contactPartyId" type="String" mode="IN"/> >>>>>>> -       <attribute name="comments" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="comments" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <!-- ContactMech services --> >>>>>>> @@ -768,9 +768,9 @@ under the License. >>>>>>>        <attribute name="custRequestId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="action" type="String" mode="IN" >>> optional="true"/><!-- to indicate any special action like: REPLY, >>>>>>>        REPLYALL, FORWARD or empty for no special action--> <override >>> name="headerString" allow-html="any"/> >>>>>>> -       <override name="content" allow-html="safe"/> >>>>>>> -       <override name="messageId" allow-html="safe"/> >>>>>>> -       <override name="subject" allow-html="safe"/> >>>>>>> +       <override name="content" allow-html="any"/> >>>>>>> +       <override name="messageId" allow-html="any"/> >>>>>>> +       <override name="subject" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createCommunicationEvent" engine="simple" >>>>>>> location="component://party/script/org/ofbiz/party/ >>> communication/CommunicationEventServices.xml" >>>>>>> invoke="createCommunicationEventWithPermission" auth="true"> @@ >>> -792,9 +792,9 @@ under the License. >>>>>>>        <auto-attributes entity-name="CommunicationEvent" >>> include="nonpk" mode="IN" optional="true"/> >>>>>>>        <attribute name="contactMechPurposeTypeIdFrom" type="String" >>> mode="IN" optional="true"><description>Set a specific >>>>>>>        purpose for the originator email</description></attribute> >>> <attribute name="oldStatusId" type="String" mode="OUT" >>>>>>> optional="true"/> >>>>>>> -       <override name="messageId" allow-html="safe"/> >>>>>>> -       <override name="content" allow-html="safe"/> >>>>>>> -       <override name="subject" allow-html="safe"/> >>>>>>> +       <override name="messageId" allow-html="any"/> >>>>>>> +       <override name="content" allow-html="any"/> >>>>>>> +       <override name="subject" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="deleteCommunicationEvent" engine="simple" >>>>>>> location="component://party/script/org/ofbiz/party/ >>> communication/CommunicationEventServices.xml" >>>>>>> invoke="deleteCommunicationEvent" auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/product/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/servicedef/services.xml?rev=1536324&r1=1536323&r2= >>> 1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/product/servicedef/services.xml (original) >>> +++ >>>>>>> ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 >>> 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. >>>>>>>            <exclude field-name="lastModifiedDate"/> >>>>>>>            <exclude field-name="lastModifiedByUserLogin"/> >>>>>>>        </auto-attributes> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> -       <override name="longDescription" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>> +       <override name="longDescription" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createProduct" default-entity-name="Product" >>> engine="simple" >>>>>>> location="component://product/ >>> script/org/ofbiz/product/product/ProductServices.xml" >>> invoke="createProduct" >>>>>>> auth="true"> @@ -70,8 +70,8 @@ under the License. >>>>>>>        <attribute name="oldProductId" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="newInternalName" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="newProductName" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="newDescription" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> -       <attribute name="newLongDescription" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="newDescription" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>> +       <attribute name="newLongDescription" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="duplicatePrices" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="duplicateIDs" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="duplicateContent" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -392,7 +392,7 @@ under the License. >>>>>>>        <auto-attributes mode="IN" entity-name="Content" >>> optional="true"/> >>>>>>>        <attribute name="subject" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="plainBody" type="String" mode="IN" >>> optional="false"/> >>>>>>> -       <attribute name="htmlBody" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="htmlBody" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <override name="contentId" optional="true" mode="INOUT"/> >>>>>>>    </service> >>>>>>>    <service name="updateEmailContentForProduct" default-entity-name="ProductContent" >>> engine="simple" >>>>>>> @@ -405,7 +405,7 @@ under the License. >>>>>>>        <attribute name="plainBodyDataResourceId" type="String" >>> mode="IN" optional="true"/> >>>>>>>        <attribute name="plainBody" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="htmlBodyDataResourceId" type="String" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="htmlBody" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="htmlBody" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createDownloadContentForProduct" >>> default-entity-name="ProductContent" engine="simple" >>>>>>> location="component://product/script/org/ofbiz/product/ >>> product/ProductContentServices.xml" >>>>>>> invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 >>> +431,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes entity-name="Content" include="nonpk" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <override name="contentId" optional="true"/> >>>>>>>        <override name="fromDate" optional="true"/> >>>>>>>    </service> >>>>>>> @@ -441,13 +441,13 @@ under the License. >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes mode="IN" entity-name="Content" >>> optional="true"/> >>>>>>>        <attribute name="textDataResourceId" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="createSimpleTextContentForAlternateLocale" >>> engine="simple" >>>>>>> location="component://product/script/org/ofbiz/product/ >>> product/ProductContentServices.xml" >>>>>>> invoke="createSimpleTextContentForAlternateLocale"> >>> <auto-attributes mode="IN" entity-name="Content" optional="true"/> >>>>>>> <attribute name="mainContentId" type="String" mode="IN" >>> optional="false"/> -       <attribute name="text" type="String" >>>>>>> mode="IN" optional="false" allow-html="safe"/> +       <attribute >>> name="text" type="String" mode="IN" optional="false" >>>>>>>        allow-html="any"/> <override name="localeString" >>> optional="false"/> >>>>>>>        <override name="contentId" mode="INOUT"/> >>>>>>>    </service> >>>>>>> @@ -967,7 +967,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes entity-name="Content" include="nonpk" >>> mode="IN" optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <override name="contentId" optional="true"/> >>>>>>>        <override name="fromDate" optional="true"/> >>>>>>>    </service> >>>>>>> @@ -977,7 +977,7 @@ under the License. >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes entity-name="Content" include="nonpk" >>> mode="IN" optional="true"/> >>>>>>>        <attribute name="textDataResourceId" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="updateContentSEOForCategory" engine="simple" >>>>>>> @@ -1201,7 +1201,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes mode="IN" entity-name="Content" >>> optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="false" allow-html="any"/> >>>>>>>        <override name="contentId" optional="true"/> >>>>>>>    </service> >>>>>>>    <service name="updateSimpleTextContentForProductConfigItem" >>> default-entity-name="ProdConfItemContent" engine="simple" >>>>>>> @@ -1210,7 +1210,7 @@ under the License. >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <auto-attributes mode="IN" entity-name="Content" >>> optional="true"/> >>>>>>>        <attribute name="textDataResourceId" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="text" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="getProductFeaturesByType" engine="java" >>>>>>> location="org.ofbiz.product.feature.ProductFeatureServices" >>> invoke="getProductFeaturesByType"> >>>>>>> Modified: ofbiz/trunk/applications/product/servicedef/services_ >>> pricepromo.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> product/servicedef/services_pricepromo.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml >>> Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the >>>>>>>            License. <exclude field-name="lastModifiedByUserLogin"/> >>>>>>>        </auto-attributes> >>>>>>>        <override name="promoName" optional="false"/> >>>>>>> -       <override name="promoText" allow-html="safe"/> >>>>>>> +       <override name="promoText" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateProductPromo" default-entity-name="ProductPromo" >>> engine="simple" >>>>>>> location="component://product/ >>> script/org/ofbiz/product/promo/PromoServices.xml" >>> invoke="updateProductPromo" >>>>>>> auth="true"> @@ -150,7 +150,7 @@ under the License. >>>>>>>            <exclude field-name="lastModifiedDate"/> >>>>>>>            <exclude field-name="lastModifiedByUserLogin"/> >>>>>>>        </auto-attributes> >>>>>>> -       <override name="promoText" allow-html="safe"/> >>>>>>> +       <override name="promoText" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="deleteProductPromo" default-entity-name="ProductPromo" >>> engine="simple" >>>>>>> location="component://product/ >>> script/org/ofbiz/product/promo/PromoServices.xml" >>> invoke="deleteProductPromo" >>>>>>> auth="true"> >>>>>>> >>>>>>> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/ >>> workeffort/servicedef/services.xml?rev=1536324&r1= >>> 1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml >>> (original) +++ >>>>>>> ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct >>> 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. >>>>>>>            <exclude field-name="lastModifiedDate"/> >>>>>>>            <exclude field-name="lastModifiedByUserLogin"/> >>>>>>>        </auto-attributes> >>>>>>> -       <override name="workEffortName" allow-html="safe"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="workEffortName" allow-html="any"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createWorkEffort" default-entity-name="WorkEffort" >>> engine="simple" >>>>>>> location="component://workeffort/script/org/ofbiz/ >>> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>>> invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. >>>>>>>        <attribute name="communicationEventId" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/><!-- for notification services --> >>>>>>>        <override name="workEffortTypeId" optional="false"/> >>>>>>> -       <override name="workEffortName" optional="false" >>> allow-html="safe"/> >>>>>>> +       <override name="workEffortName" optional="false" >>> allow-html="any"/> >>>>>>>        <override name="currentStatusId" optional="false"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="createWorkEffortAndPartyAssign" >>> default-entity-name="WorkEffort" engine="simple" >>>>>>> location="component://workeffort/script/org/ofbiz/ >>> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>>> invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under >>> the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false" >>> entity-name="CustRequestWorkEffort"/> >>>>>>>        <auto-attributes include="all" mode="IN" optional="true" >>> entity-name="CustRequest"/> >>>>>>>        <override name="custRequestId" optional="true" mode="INOUT"/> >>>>>>> -       <override name="description" allow-html="safe"/> >>>>>>> +       <override name="description" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="deleteWorkEffortRequest" engine="simple" >>>>>>> location="component://workeffort/script/org/ofbiz/ >>> workeffort/workeffort/WorkEffortSimpleServices.xml" >>>>>>> invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a >>> CustRequestWorkEffort</description> >>>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ >>> servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ >>> ofbiz/trunk/framework/common/servicedef/services.xml Mon >>>>>>> Oct 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. >>>>>>>        <description>Create a new note record</description> >>>>>>>        <attribute name="partyId" type="String" mode="INOUT" >>> optional="true"/> >>>>>>>        <attribute name="noteName" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="note" type="String" mode="IN" >>> allow-html="safe"/> >>>>>>> +       <attribute name="note" type="String" mode="IN" >>> allow-html="any"/> >>>>>>>        <attribute name="noteId" type="String" mode="OUT"/> >>>>>>>    </service> >>>>>>> >>>>>>> @@ -72,7 +72,7 @@ under the License. >>>>>>>        <description>Update a note record</description> >>>>>>>        <auto-attributes include="pk" mode="INOUT" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>> -       <override name="noteInfo" allow-html="safe"/> >>>>>>> +       <override name="noteInfo" allow-html="any"/> >>>>>>>    </service> >>>>>>> >>>>>>>    <service name="adjustDebugLevels" engine="java" >>>>>>> @@ -109,7 +109,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="OUT" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <override name="enumTypeId" optional="false"/> >>>>>>> -       <override name="description" optional="false" >>> allow-html="safe"/> >>>>>>> +       <override name="description" optional="false" >>> allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="updateEnumeration" default-entity-name="Enumeration" >>> engine="simple" >>>>>>> location="component://common/script/org/ofbiz/common/EnumerationServices.xml" >>> invoke="updateEnumeration" auth="true"> >>>>>>> @@ -118,7 +118,7 @@ under the License. >>>>>>>        <auto-attributes include="pk" mode="IN" optional="false"/> >>>>>>>        <auto-attributes include="nonpk" mode="IN" optional="true"/> >>>>>>>        <override name="enumTypeId" optional="false"/> >>>>>>> -       <override name="description" optional="false" >>> allow-html="safe"/> >>>>>>> +       <override name="description" optional="false" >>> allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="deleteEnumeration" default-entity-name="Enumeration" >>> engine="entity-auto" invoke="delete" auth="true"> >>>>>>> <description>Delete a Enumeration</description> >>>>>>> >>>>>>> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/ >>> servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml >>> (original) +++ >>>>>>> ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct >>> 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. >>>>>>>        <attribute name="sendFailureNotification" mode="IN" >>> type="Boolean" optional="true"/> >>>>>>>        <attribute name="sendPartial" mode="IN" type="Boolean" >>> optional="true"/> >>>>>>>        <attribute name="startTLSEnabled" mode="IN" type="Boolean" >>> optional="true"/> >>>>>>> -       <attribute name="subject" type="String" mode="INOUT" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="subject" type="String" mode="INOUT" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="contentType" type="String" mode="INOUT" >>> optional="true"/> >>>>>>>        <attribute name="partyId" type="String" mode="INOUT" >>> optional="true"/> >>>>>>>        <attribute name="messageId" type="String" mode="INOUT" >>> optional="true"/> >>>>>>> @@ -56,7 +56,7 @@ under the License. >>>>>>>    <service name="sendMailOnePartInterface" engine="interface" >>> location="" invoke=""> >>>>>>> <description>Interface service for sendMail* >>> services.</description> >>>>>>>        <implements service="sendMailInterface"/> >>>>>>> -       <attribute name="body" type="String" mode="INOUT" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="body" type="String" mode="INOUT" >>> optional="false" allow-html="any"/> >>>>>>>        <override name="contentType" mode="INOUT"/> >>>>>>>        <override name="subject" mode="INOUT" optional="false"/> >>>>>>>        <override name="emailType" type="String" mode="INOUT" >>> optional="true"/> >>>>>>> @@ -98,12 +98,12 @@ under the License. >>>>>>>        <implements service="sendMailInterface"/> >>>>>>>        <attribute name="bodyUrl" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="bodyUrlParameters" type="Map" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="body" type="String" mode="OUT" >>> optional="false" allow-html="safe"/> >>>>>>> +       <attribute name="body" type="String" mode="OUT" >>> optional="false" allow-html="any"/> >>>>>>>    </service> >>>>>>>    <service name="sendMailFromScreenInterface" engine="interface" >>> location="" invoke=""> >>>>>>> <description>Interface service for E-Mail sent From Screen >>> Widget</description> >>>>>>>        <implements service="sendMailInterface"/> >>>>>>> -       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="bodyScreenUri" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="xslfoAttachScreenLocation" type="String" >>> mode="IN" optional="true"/> >>>>>>>        <attribute name="attachmentName" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -132,7 +132,7 @@ under the License. >>>>>>>        <implements service="sendMailInterface"/> >>>>>>>        <attribute name="emailTemplateSettingId" type="String" >>> mode="IN" optional="false"/> >>>>>>>        <attribute name="partyIdTo" type="String" mode="IN" >>> optional="true"/> >>>>>>> -       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="bodyText" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="attachmentName" type="String" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="bodyParameters" type="Map" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -143,8 +143,8 @@ under the License. >>>>>>>            location="" invoke=""> >>>>>>>        <description>Send Template Based Notification >>> Service</description> >>>>>>>        <implements service="sendMailInterface"/> >>>>>>> -       <attribute name="body" type="String" mode="INOUT" >>> optional="true" allow-html="safe"/> >>>>>>> -       <attribute name="baseUrl" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="body" type="String" mode="INOUT" >>> optional="true" allow-html="any"/> >>>>>>> +       <attribute name="baseUrl" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="templateName" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="templateData" type="Map" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/> >>>>>>> @@ -153,7 +153,7 @@ under the License. >>>>>>>            location="" invoke=""> >>>>>>>        <description>Send Template Based Notification >>> Service</description> >>>>>>>        <implements service="prepareNotificationInterface"/> >>>>>>> -       <attribute name="body" type="String" mode="IN" >>> optional="true" allow-html="safe"/> >>>>>>> +       <attribute name="body" type="String" mode="IN" >>> optional="true" allow-html="any"/> >>>>>>>        <attribute name="templateName" type="String" mode="IN" >>> optional="false"/> >>>>>>>        <attribute name="templateData" type="Map" mode="IN" >>> optional="true"/> >>>>>>>        <attribute name="webSiteId" type="String" mode="IN" >>> optional="true"/> >>>>>>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd >>>>>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ >>> dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================ >>> ================== >>>>>>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original) >>>>>>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 >>> 12:12:43 2013 >>>>>>> @@ -106,6 +106,7 @@ under the License. >>>>>>>                    If set to true and there is a transaction already >>> in place the Service Engine will suspend that transaction, >>>>>>>                    begin a new one just for this service, commit or >>> rollback the local transaction when the service is >>>>>>>                    complete, and will resume the original >>> transaction. If set to true and there is no transaction already in >>>>>>> place it will just begin a transaction and manage it as would be done >>> for a normal user-transaction=true. If >>>>>>> use-transaction=false this setting is ignored. + >>>               Beware: using require-new-transaction=true >>>>>>>            in a service called (maybe not directly) by a pre-invoke >>> or earlier event ( preprocessor, firstvisit and so on) is >>>>>>>            not yet supported. </xs:documentation> </xs:annotation> >>> <xs:simpleType> >>>>>>> @@ -348,11 +349,18 @@ under the License. >>>>>>>            </xs:simpleType> >>>>>>>        </xs:attribute> >>>>>>>        <xs:attribute name="allow-html" use="optional" default="none"> >>>>>>> - <xs:annotation><xs:documentation>See the documentation >>> on the allow-html attribute of the "attribute" >>>>>>> element.</xs:documentation></xs:annotation> + >>> <xs:annotation> >>>>>>> + <xs:documentation> >>>>>>> +                   Applies only to String fields. >>>>>>> +                   Only checked for incoming parameters/attributes >>> (could change in the future, but this is meant for >>>>>>> validating input from users, other systems, etc). + >>>   Defaults to "none" meaning no HTML is allowed (will >>>>>>> result in an error message). +                   If some HTML is >>> desired then use "any". >>>>>>> +                   There was previously "safe" but it's deprecated >>>>>>> +               </xs:documentation> >>>>>>> +           </xs:annotation> >>>>>>>            <xs:simpleType> >>>>>>>                <xs:restriction base="xs:token"> >>>>>>>                    <xs:enumeration value="any"/> >>>>>>> -                   <xs:enumeration value="safe"/> >>>>>>>                    <xs:enumeration value="none"/> >>>>>>>                </xs:restriction> >>>>>>>            </xs:simpleType> >>>>>>> @@ -424,13 +432,12 @@ under the License. >>>>>>>                Applies only to String fields. >>>>>>>                Only checked for incoming parameters/attributes (could >>> change in the future, but this is meant for validating >>>>>>>                input from users, other systems, etc). Defaults to >>> "none" meaning no HTML is allowed (will result in an error >>>>>>> message). >>>>>>> -               If some HTML is desired then use "safe" which will >>> follow the rules in the antisamy-esapi.xml file. This >>>>>>> should be safe for both internal and public users. >>>>>>> -               In rare cases when users are trusted or it is not a >>> sensitive field the "any" option may be used to not check >>>>>>> the HTML content at all. +               If some HTML is desired >>> then use "any". >>>>>>> +               There was previously "safe" but it's deprecated >>>>>>> </xs:documentation></xs:annotation> >>>>>>>            <xs:simpleType> >>>>>>>                <xs:restriction base="xs:token"> >>>>>>>                    <xs:enumeration value="any"/> >>>>>>> -                   <xs:enumeration value="safe"/> >>>>>>>                    <xs:enumeration value="none"/> >>>>>>>                </xs:restriction> >>>>>>>            </xs:simpleType> >>>>>>> @@ -477,11 +484,18 @@ under the License. >>>>>>>            </xs:simpleType> >>>>>>>        </xs:attribute> >>>>>>>        <xs:attribute name="allow-html" use="optional"> >>>>>>> - <xs:annotation><xs:documentation>See the documentation >>> on the allow-html attribute of the "attribute" element. >>>>>>> Note that it is slightly different here as there is no >>> defualt.</xs:documentation></xs:annotation> +           <xs:annotation> >>>>>>> + <xs:documentation> >>>>>>> +                   Applies only to String fields. >>>>>>> +                   Only checked for incoming parameters/attributes >>> (could change in the future, but this is meant for >>>>>>> validating input from users, other systems, etc). + >>>   There is no default, "none" means no HTML is allowed >>>>>>> (will result in an error message). +                   If some HTML >>> is desired then use "any". >>>>>>> +                   There was previously "safe" but it's deprecated >>>>>>> +               </xs:documentation> >>>>>>> +           </xs:annotation> >>>>>>>            <xs:simpleType> >>>>>>>                <xs:restriction base="xs:token"> >>>>>>>                    <xs:enumeration value="any"/> >>>>>>> -                   <xs:enumeration value="safe"/> >>>>>>>                    <xs:enumeration value="none"/> >>>>>>>                </xs:restriction> >>>>>>>            </xs:simpleType> >>>>>>> >>>>>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ >>> ModelService.java >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/ >>> src/org/ofbiz/service/ModelService.java?rev=1536324& >>> r1=1536323&r2=1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>> (original) +++ >>>>>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java >>> Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public >>>>>>>        class ModelService extends Abstra // required and type >>> validation complete, do allow-html validation >>>>>>>        if ("IN".equals(mode)) { >>>>>>>            List<String> errorMessageList = FastList.newInstance(); >>>>>>> -           for (ModelParam modelParam: this.contextInfo.values()) { >>>>>>> -               if (context.get(modelParam.name) != null && >>>>>>> - ("String".equals(modelParam.type) || >>> "java.lang.String".equals(modelParam.type)) && >>>>>>> - !"any".equals(modelParam.allowHtml) && >>>>>>> - ("INOUT".equals(modelParam.mode) || >>> "IN".equals(modelParam.mode))) { >>>>>>> -                   // the param is a String, allow-html is none or >>> safe, and we are looking at an IN parameter during input >>>>>>> parameter validation +           for (ModelParam modelParam : >>> this.contextInfo.values()) { >>>>>>> +               // the param is a String, allow-html is not any, and >>> we are looking at an IN parameter during input parameter >>>>>>> validation +               if (context.get(modelParam.name) != null >>> && ("String".equals(modelParam.type) || >>>>>>> "java.lang.String".equals(modelParam.type)) + >>> && !"any".equals(modelParam.allowHtml) && >>>>>>> ("INOUT".equals(modelParam.mode) || >>> "IN".equals(modelParam.mode))) { String value = (String) >>>>>>> context.get(modelParam.name); >>>>>>> -                   if ("none".equals(modelParam.allowHtml)) { >>>>>>> - StringUtil.checkStringForHtmlStrictNone(modelParam.name, >>> value, errorMessageList); >>>>>>> -                   } else if ("safe".equals(modelParam.allowHtml)) >>> { >>>>>>> - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, >>> value, errorMessageList); >>>>>>> -                   } >>>>>>> + StringUtil.checkStringForHtmlStrictNone(modelParam.name, >>> value, errorMessageList); >>>>>>>                } >>>>>>>            } >>>>>>>            if (errorMessageList.size() > 0) { >>>>>>> >>>>>>> Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services. >>> xml >>>>>>> URL: >>>>>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ >>> ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2= >>> 1536324&view=diff >>>>>>> ============================================================================== >>> --- >>>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml >>> (original) +++ >>>>>>> ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct >>> 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. >>>>>>>        <attribute name="itemId" mode="IN" type="String" >>> optional="false"/> >>>>>>>        <attribute name="listingType" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute name="title" mode="IN" type="String" >>> optional="true"/> >>>>>>> -       <attribute name="description" mode="IN" type="String" >>> allow-html="safe"/> >>>>>>> +       <attribute name="description" mode="IN" type="String" >>> allow-html="any"/> >>>>>>>        <attribute name="price" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute name="currencyId" mode="IN" type="String" >>> optional="true"/> >>>>>>>        <attribute mode="IN" name="imageData" optional="true" >>> type="java.nio.ByteBuffer"/> >>> > |
Free forum by Nabble | Edit this page |