Administrator
|
Thanks David,
I saw you have used such a solution for other cases. I should have thought about that Jacques From: <[hidden email]> > Author: jonesde > Date: Mon Feb 9 02:34:23 2009 > New Revision: 742234 > > URL: http://svn.apache.org/viewvc?rev=742234&view=rev > Log: > Fixed issue with general html encoding of String objects in FTL files being applied to dynamic JavaScript from groovy files by > leaving them as StringBuffers, ie just removing the toString calls > > Modified: > ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy > ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy > ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl > > Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy (original) > +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy Mon Feb 9 02:34:23 > 2009 > @@ -303,7 +303,7 @@ > jsBuf.append(variantPriceJS.toString()); > jsBuf.append("</script>"); > > - context.virtualJavaScript = jsBuf.toString(); > + context.virtualJavaScript = jsBuf; > } > } > } > > Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy (original) > +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy Mon Feb 9 02:34:23 2009 > @@ -375,7 +375,7 @@ > jsBuf.append(variantPriceJS.toString()); > jsBuf.append("</script>"); > > - context.virtualJavaScript = jsBuf.toString(); > + context.virtualJavaScript = jsBuf; > } > } > } > > Modified: ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl?rev=742234&r1=742233&r2=742234&view=diff > ============================================================================== > --- ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl (original) > +++ ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl Mon Feb 9 02:34:23 2009 > @@ -37,7 +37,6 @@ > <link rel="stylesheet" href="<@ofbizContentUrl>${styleSheet}</@ofbizContentUrl>" type="text/css"/> > </#list> > </#if> > - ${layoutSettings?if_exists.extraHead?if_exists} > > <#-- Append CSS for catalog --> > <#if catalogStyleSheet?exists> > > |
No problem. I hope everyone's in favor of these painful changes I'm working on. They'll definitely have side effects and break things as we restrict various things, for the sake of security. Whatever the case, I'll be around to help pick up the pieces and resolve issues that I miss in testing based on these changes. On a side note, I wish we had done this a LONG time ago as it would make things less painful with less code and functionality in the project. Oh well, better late than never. This is taking a lot longer to do than I thought, and I'm having to try all sorts of different things before finding things that are effective and don't break too much. In other words, I'm understanding better why no one else has taken the plunge for this yet... :( I only wish some end-user was willing to pay for this sort of thing, but I guess most business people get upset about security after the fact more than they get worried about it in advance. Hopefully it doesn't screw up too much stuff and results in far cleaner and safer code... it seems to be heading in that direction at least. -David On Feb 9, 2009, at 1:09 AM, Jacques Le Roux wrote: > Thanks David, > > I saw you have used such a solution for other cases. I should have > thought about that > > Jacques > > From: <[hidden email]> >> Author: jonesde >> Date: Mon Feb 9 02:34:23 2009 >> New Revision: 742234 >> >> URL: http://svn.apache.org/viewvc?rev=742234&view=rev >> Log: >> Fixed issue with general html encoding of String objects in FTL >> files being applied to dynamic JavaScript from groovy files by >> leaving them as StringBuffers, ie just removing the toString calls >> >> Modified: >> ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/InlineProductDetail.groovy >> ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/ProductDetail.groovy >> ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl >> >> Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ >> actions/entry/catalog/InlineProductDetail.groovy >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff >> = >> = >> = >> = >> = >> = >> = >> = >> = >> ===================================================================== >> --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/InlineProductDetail.groovy (original) >> +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/InlineProductDetail.groovy Mon Feb 9 02:34:23 2009 >> @@ -303,7 +303,7 @@ >> jsBuf.append(variantPriceJS.toString()); >> jsBuf.append("</script>"); >> >> - context.virtualJavaScript = jsBuf.toString(); >> + context.virtualJavaScript = jsBuf; >> } >> } >> } >> >> Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ >> actions/entry/catalog/ProductDetail.groovy >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff >> = >> = >> = >> = >> = >> = >> = >> = >> = >> ===================================================================== >> --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/ProductDetail.groovy (original) >> +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ >> entry/catalog/ProductDetail.groovy Mon Feb 9 02:34:23 2009 >> @@ -375,7 +375,7 @@ >> jsBuf.append(variantPriceJS.toString()); >> jsBuf.append("</script>"); >> >> - context.virtualJavaScript = jsBuf.toString(); >> + context.virtualJavaScript = jsBuf; >> } >> } >> } >> >> Modified: ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ >> Header.ftl >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl?rev=742234&r1=742233&r2=742234&view=diff >> = >> = >> = >> = >> = >> = >> = >> = >> = >> ===================================================================== >> --- ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ >> Header.ftl (original) >> +++ ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ >> Header.ftl Mon Feb 9 02:34:23 2009 >> @@ -37,7 +37,6 @@ >> <link rel="stylesheet" href="<@ofbizContentUrl>$ >> {styleSheet}</@ofbizContentUrl>" type="text/css"/> >> </#list> >> </#if> >> - ${layoutSettings?if_exists.extraHead?if_exists} >> >> <#-- Append CSS for catalog --> >> <#if catalogStyleSheet?exists> >> > |
Hi David,
I highly appreciate the work you are doing in this area. If you would not be there, i do not know when it would be done.(if ever) thanks again, Hans On Mon, 2009-02-09 at 01:37 -0700, David E Jones wrote: > No problem. I hope everyone's in favor of these painful changes I'm > working on. They'll definitely have side effects and break things as > we restrict various things, for the sake of security. > > Whatever the case, I'll be around to help pick up the pieces and > resolve issues that I miss in testing based on these changes. > > On a side note, I wish we had done this a LONG time ago as it would > make things less painful with less code and functionality in the > project. Oh well, better late than never. This is taking a lot longer > to do than I thought, and I'm having to try all sorts of different > things before finding things that are effective and don't break too > much. In other words, I'm understanding better why no one else has > taken the plunge for this yet... :( I only wish some end-user was > willing to pay for this sort of thing, but I guess most business > people get upset about security after the fact more than they get > worried about it in advance. > > Hopefully it doesn't screw up too much stuff and results in far > cleaner and safer code... it seems to be heading in that direction at > least. > > -David > > > On Feb 9, 2009, at 1:09 AM, Jacques Le Roux wrote: > > > Thanks David, > > > > I saw you have used such a solution for other cases. I should have > > thought about that > > > > Jacques > > > > From: <[hidden email]> > >> Author: jonesde > >> Date: Mon Feb 9 02:34:23 2009 > >> New Revision: 742234 > >> > >> URL: http://svn.apache.org/viewvc?rev=742234&view=rev > >> Log: > >> Fixed issue with general html encoding of String objects in FTL > >> files being applied to dynamic JavaScript from groovy files by > >> leaving them as StringBuffers, ie just removing the toString calls > >> > >> Modified: > >> ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/InlineProductDetail.groovy > >> ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/ProductDetail.groovy > >> ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl > >> > >> Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ > >> actions/entry/catalog/InlineProductDetail.groovy > >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> ===================================================================== > >> --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/InlineProductDetail.groovy (original) > >> +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/InlineProductDetail.groovy Mon Feb 9 02:34:23 2009 > >> @@ -303,7 +303,7 @@ > >> jsBuf.append(variantPriceJS.toString()); > >> jsBuf.append("</script>"); > >> > >> - context.virtualJavaScript = jsBuf.toString(); > >> + context.virtualJavaScript = jsBuf; > >> } > >> } > >> } > >> > >> Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ > >> actions/entry/catalog/ProductDetail.groovy > >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> ===================================================================== > >> --- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/ProductDetail.groovy (original) > >> +++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ > >> entry/catalog/ProductDetail.groovy Mon Feb 9 02:34:23 2009 > >> @@ -375,7 +375,7 @@ > >> jsBuf.append(variantPriceJS.toString()); > >> jsBuf.append("</script>"); > >> > >> - context.virtualJavaScript = jsBuf.toString(); > >> + context.virtualJavaScript = jsBuf; > >> } > >> } > >> } > >> > >> Modified: ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ > >> Header.ftl > >> URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl?rev=742234&r1=742233&r2=742234&view=diff > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> = > >> ===================================================================== > >> --- ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ > >> Header.ftl (original) > >> +++ ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ > >> Header.ftl Mon Feb 9 02:34:23 2009 > >> @@ -37,7 +37,6 @@ > >> <link rel="stylesheet" href="<@ofbizContentUrl>$ > >> {styleSheet}</@ofbizContentUrl>" type="text/css"/> > >> </#list> > >> </#if> > >> - ${layoutSettings?if_exists.extraHead?if_exists} > >> > >> <#-- Append CSS for catalog --> > >> <#if catalogStyleSheet?exists> > >> > > -- http://www.antwebsystems.com : Quality OFBiz support for competitive rates.... |
Free forum by Nabble | Edit this page |