Render HTML markup in Freemarker
Locked
 
|
Hi everybody,
I am trying to display text content with embedded HTML markup tags: <p>Test</p> I tried ${productContentWrapper.get("DESCRIPTION","html") ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html")) For some reason it does print the text including the markup tags. I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration. Thanks for any hint. Best regards Ingo |
Re: Render HTML markup in Freemarker
Administrator
|
This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. I will code that soon... Jacques Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : > Hi everybody, > > I am trying to display text content with embedded HTML markup tags: > > <p>Test</p> > > I tried > ${productContentWrapper.get("DESCRIPTION","html") > ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html")) > > For some reason it does print the text including the markup tags. > > I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration. > > Thanks for any hint. > Best regards > Ingo > |
|
|
Hi Jacques,
thanks for the quick answer. Just for me to understand :) : I have the following content from DB: <p>Test</p> Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p> Best regards, Ingo -----Ursprüngliche Nachricht----- Von: Jacques Le Roux [mailto:[hidden email]] Gesendet: Freitag, 6. November 2015 16:32 An: [hidden email] Betreff: Re: Render HTML markup in Freemarker This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. I will code that soon... Jacques Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : > Hi everybody, > > I am trying to display text content with embedded HTML markup tags: > > <p>Test</p> > > I tried > ${productContentWrapper.get("DESCRIPTION","html") > ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" > )) > > For some reason it does print the text including the markup tags. > > I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration. > > Thanks for any hint. > Best regards > Ingo > |
Re: AW: Render HTML markup in Freemarker
|
Administrator
|
Ingo,
Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer. As explained in OFBIZ-6669, contrary to what I did in ContentWorker class, when I before did the work on *ContentWrapper classes I did not use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle. When the encoderType is HTML, I now suggest we use the sanitizer in *ContentWrapper classes For that I will enhance the UtilCodec class (if people disagree a sanitizer should be there, I will create a new UtilOwasp class) Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description). This is why content.sanitize property exists in content.properties. To generalise, this property will need to be moved in the base config, I guess in an owasp.properties file. To be totally complete we should change *lines like* in productsummary.ftl line 85 to use an HTML content wrapper. I mean something like Index: applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl =================================================================== --- applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (revision 1712951) +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (working copy) @@ -63,6 +63,7 @@ <#assign prodCatMem = requestAttributes.productCategoryMember> </#if> <#assign smallImageUrl = productContentWrapper.get("SMALL_IMAGE_URL", "url")!> + <#assign productDescription = productContentWrapper.get("DESCRIPTION", "html")> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if> <#-- end variable setup --> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@ <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" alt="Small Image"/><br /> ${uiLabelMap.ProductProductId} : ${product.productId!}<br /> ${uiLabelMap.ProductProductName} : ${product.productName!}<br /> - ${uiLabelMap.CommonDescription} : ${product.description!} + ${uiLabelMap.CommonDescription} : ${productDescription!} </td> </tr> </table> I hope I'm clear now, see my proposed patch at OFBIZ-6669 Jacques Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : > Hi Jacques, > > thanks for the quick answer. > > Just for me to understand :) : > > I have the following content from DB: <p>Test</p> > Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p> > > Best regards, > Ingo > > > > > -----Ursprüngliche Nachricht----- > Von: Jacques Le Roux [mailto:[hidden email]] > Gesendet: Freitag, 6. November 2015 16:32 > An: [hidden email] > Betreff: Re: Render HTML markup in Freemarker > > This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 > > I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). > This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. > > I will code that soon... > > Jacques > > > Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >> Hi everybody, >> >> I am trying to display text content with embedded HTML markup tags: >> >> <p>Test</p> >> >> I tried >> ${productContentWrapper.get("DESCRIPTION","html") >> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >> )) >> >> For some reason it does print the text including the markup tags. >> >> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration. >> >> Thanks for any hint. >> Best regards >> Ingo >> > |
Re: AW: Render HTML markup in Freemarker
|
Administrator
|
I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669.
HTH Jacques Le 07/11/2015 09:20, Jacques Le Roux a écrit : > Ingo, > > Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer. > > As explained in OFBIZ-6669, contrary to what I did in ContentWorker class, when I before did the work on *ContentWrapper classes I did not use the > sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind > thought it was easier because of the URL encoderType to also handle. > > When the encoderType is HTML, I now suggest we use the sanitizer in *ContentWrapper classes For that I will enhance the UtilCodec class (if people > disagree a sanitizer should be there, I will create a new UtilOwasp class) > > Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description). > This is why content.sanitize property exists in content.properties. To generalise, this property will need to be moved in the base config, I guess > in an owasp.properties file. > > To be totally complete we should change *lines like* in productsummary.ftl line 85 to use an HTML content wrapper. I mean something like > > Index: applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl > =================================================================== > --- applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (revision 1712951) > +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (working copy) > @@ -63,6 +63,7 @@ > <#assign prodCatMem = requestAttributes.productCategoryMember> > </#if> > <#assign smallImageUrl = productContentWrapper.get("SMALL_IMAGE_URL", "url")!> > + <#assign productDescription = productContentWrapper.get("DESCRIPTION", "html")> > <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if> > <#-- end variable setup --> > <#assign productInfoLinkId = "productInfoLink"> > @@ -82,7 +83,7 @@ > <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" alt="Small Image"/><br /> > ${uiLabelMap.ProductProductId} : ${product.productId!}<br /> > ${uiLabelMap.ProductProductName} : ${product.productName!}<br /> > - ${uiLabelMap.CommonDescription} : ${product.description!} > + ${uiLabelMap.CommonDescription} : ${productDescription!} > </td> > </tr> > </table> > > I hope I'm clear now, see my proposed patch at OFBIZ-6669 > > Jacques > > > Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : >> Hi Jacques, >> >> thanks for the quick answer. >> >> Just for me to understand :) : >> >> I have the following content from DB: <p>Test</p> >> Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should >> result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p> >> >> Best regards, >> Ingo >> >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: Jacques Le Roux [mailto:[hidden email]] >> Gesendet: Freitag, 6. November 2015 16:32 >> An: [hidden email] >> Betreff: Re: Render HTML markup in Freemarker >> >> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 >> >> I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes >> (where the content is encoded). >> This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this >> flexibility to users, once they are aware of what they are doing. >> >> I will code that soon... >> >> Jacques >> >> >> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >>> Hi everybody, >>> >>> I am trying to display text content with embedded HTML markup tags: >>> >>> <p>Test</p> >>> >>> I tried >>> ${productContentWrapper.get("DESCRIPTION","html") >>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >>> )) >>> >>> For some reason it does print the text including the markup tags. >>> >>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: >>> did I miss something in the configuration. >>> >>> Thanks for any hint. >>> Best regards >>> Ingo >>> >> > |
|
|
Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting.
Best regards, Ingo -----Ursprüngliche Nachricht----- Von: Jacques Le Roux [mailto:[hidden email]] Gesendet: Samstag, 7. November 2015 15:53 An: [hidden email] Betreff: Re: AW: Render HTML markup in Freemarker I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669. HTH Jacques Le 07/11/2015 09:20, Jacques Le Roux a écrit : > Ingo, > > Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer. > > As explained in OFBIZ-6669, contrary to what I did in ContentWorker > class, when I before did the work on *ContentWrapper classes I did not > use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle. > > When the encoderType is HTML, I now suggest we use the sanitizer in > *ContentWrapper classes For that I will enhance the UtilCodec class > (if people disagree a sanitizer should be there, I will create a new > UtilOwasp class) > > Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description). > This is why content.sanitize property exists in content.properties. To > generalise, this property will need to be moved in the base config, I guess in an owasp.properties file. > > To be totally complete we should change *lines like* in > productsummary.ftl line 85 to use an HTML content wrapper. I mean > something like > > Index: > applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl > =================================================================== > --- > applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl > (revision 1712951) > +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ft > +++ l (working copy) > @@ -63,6 +63,7 @@ > <#assign prodCatMem = requestAttributes.productCategoryMember> > </#if> > <#assign smallImageUrl = > productContentWrapper.get("SMALL_IMAGE_URL", "url")!> > + <#assign productDescription = > + productContentWrapper.get("DESCRIPTION", "html")> > <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if> > <#-- end variable setup --> > <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@ > <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" alt="Small Image"/><br /> > ${uiLabelMap.ProductProductId} : ${product.productId!}<br /> > ${uiLabelMap.ProductProductName} : ${product.productName!}<br /> > - ${uiLabelMap.CommonDescription} : ${product.description!} > + ${uiLabelMap.CommonDescription} : > + ${productDescription!} > </td> > </tr> > </table> > > I hope I'm clear now, see my proposed patch at OFBIZ-6669 > > Jacques > > > Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : >> Hi Jacques, >> >> thanks for the quick answer. >> >> Just for me to understand :) : >> >> I have the following content from DB: <p>Test</p> Shouldn't the >> sanatizer remove/sanatize tags that are not in the allow policy? So >> from my understanding with the example "<p>Test</p>" it should result >> in "" if the p-tag is not allowed. My result is that the whole tag is >> rendered as text with the markup-tag <p> >> >> Best regards, >> Ingo >> >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: Jacques Le Roux [mailto:[hidden email]] >> Gesendet: Freitag, 6. November 2015 16:32 >> An: [hidden email] >> Betreff: Re: Render HTML markup in Freemarker >> >> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 >> >> I see only one solution: use also the content.sanitize properties >> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). >> This also means that you are then assuming your code is sensible to >> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. >> >> I will code that soon... >> >> Jacques >> >> >> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >>> Hi everybody, >>> >>> I am trying to display text content with embedded HTML markup tags: >>> >>> <p>Test</p> >>> >>> I tried >>> ${productContentWrapper.get("DESCRIPTION","html") >>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >>> )) >>> >>> For some reason it does print the text including the markup tags. >>> >>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: >>> did I miss something in the configuration. >>> >>> Thanks for any hint. >>> Best regards >>> Ingo >>> >> > |
Re: AW: AW: Render HTML markup in Freemarker
|
Administrator
|
Thanks for feedback Ingo,
Did you define your own PERMISSIVE_POLICY or simply used the one I created? I think I will anyway provide a base property to allow users using it without coding, with a comment to explain it can be modified Jacques Le 08/11/2015 12:39, Ingo Wolfmayr a écrit : > Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting. > > Best regards, > Ingo > > -----Ursprüngliche Nachricht----- > Von: Jacques Le Roux [mailto:[hidden email]] > Gesendet: Samstag, 7. November 2015 15:53 > An: [hidden email] > Betreff: Re: AW: Render HTML markup in Freemarker > > I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669. > > HTH > > Jacques > > Le 07/11/2015 09:20, Jacques Le Roux a écrit : >> Ingo, >> >> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer. >> >> As explained in OFBIZ-6669, contrary to what I did in ContentWorker >> class, when I before did the work on *ContentWrapper classes I did not >> use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle. >> >> When the encoderType is HTML, I now suggest we use the sanitizer in >> *ContentWrapper classes For that I will enhance the UtilCodec class >> (if people disagree a sanitizer should be there, I will create a new >> UtilOwasp class) >> >> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description). >> This is why content.sanitize property exists in content.properties. To >> generalise, this property will need to be moved in the base config, I guess in an owasp.properties file. >> >> To be totally complete we should change *lines like* in >> productsummary.ftl line 85 to use an HTML content wrapper. I mean >> something like >> >> Index: >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> =================================================================== >> --- >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> (revision 1712951) >> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ft >> +++ l (working copy) >> @@ -63,6 +63,7 @@ >> <#assign prodCatMem = requestAttributes.productCategoryMember> >> </#if> >> <#assign smallImageUrl = >> productContentWrapper.get("SMALL_IMAGE_URL", "url")!> >> + <#assign productDescription = >> + productContentWrapper.get("DESCRIPTION", "html")> >> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if> >> <#-- end variable setup --> >> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@ >> <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" alt="Small Image"/><br /> >> ${uiLabelMap.ProductProductId} : ${product.productId!}<br /> >> ${uiLabelMap.ProductProductName} : ${product.productName!}<br /> >> - ${uiLabelMap.CommonDescription} : ${product.description!} >> + ${uiLabelMap.CommonDescription} : >> + ${productDescription!} >> </td> >> </tr> >> </table> >> >> I hope I'm clear now, see my proposed patch at OFBIZ-6669 >> >> Jacques >> >> >> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : >>> Hi Jacques, >>> >>> thanks for the quick answer. >>> >>> Just for me to understand :) : >>> >>> I have the following content from DB: <p>Test</p> Shouldn't the >>> sanatizer remove/sanatize tags that are not in the allow policy? So >>> from my understanding with the example "<p>Test</p>" it should result >>> in "" if the p-tag is not allowed. My result is that the whole tag is >>> rendered as text with the markup-tag <p> >>> >>> Best regards, >>> Ingo >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Jacques Le Roux [mailto:[hidden email]] >>> Gesendet: Freitag, 6. November 2015 16:32 >>> An: [hidden email] >>> Betreff: Re: Render HTML markup in Freemarker >>> >>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 >>> >>> I see only one solution: use also the content.sanitize properties >>> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). >>> This also means that you are then assuming your code is sensible to >>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. >>> >>> I will code that soon... >>> >>> Jacques >>> >>> >>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >>>> Hi everybody, >>>> >>>> I am trying to display text content with embedded HTML markup tags: >>>> >>>> <p>Test</p> >>>> >>>> I tried >>>> ${productContentWrapper.get("DESCRIPTION","html") >>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >>>> )) >>>> >>>> For some reason it does print the text including the markup tags. >>>> >>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: >>>> did I miss something in the configuration. >>>> >>>> Thanks for any hint. >>>> Best regards >>>> Ingo >>>> > |
|
|
I created my own PERMISSIVE_POLICY, but I am not finished with it by now.
I think putting the configuration into the base property would be a good idea. Thanks! Ingo -----Ursprüngliche Nachricht----- Von: Jacques Le Roux [mailto:[hidden email]] Gesendet: Sonntag, 8. November 2015 14:03 An: [hidden email] Betreff: Re: AW: AW: Render HTML markup in Freemarker Thanks for feedback Ingo, Did you define your own PERMISSIVE_POLICY or simply used the one I created? I think I will anyway provide a base property to allow users using it without coding, with a comment to explain it can be modified Jacques Le 08/11/2015 12:39, Ingo Wolfmayr a écrit : > Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting. > > Best regards, > Ingo > > -----Ursprüngliche Nachricht----- > Von: Jacques Le Roux [mailto:[hidden email]] > Gesendet: Samstag, 7. November 2015 15:53 > An: [hidden email] > Betreff: Re: AW: Render HTML markup in Freemarker > > I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669. > > HTH > > Jacques > > Le 07/11/2015 09:20, Jacques Le Roux a écrit : >> Ingo, >> >> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer. >> >> As explained in OFBIZ-6669, contrary to what I did in ContentWorker >> class, when I before did the work on *ContentWrapper classes I did >> not use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle. >> >> When the encoderType is HTML, I now suggest we use the sanitizer in >> *ContentWrapper classes For that I will enhance the UtilCodec class >> (if people disagree a sanitizer should be there, I will create a new >> UtilOwasp class) >> >> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description). >> This is why content.sanitize property exists in content.properties. >> To generalise, this property will need to be moved in the base config, I guess in an owasp.properties file. >> >> To be totally complete we should change *lines like* in >> productsummary.ftl line 85 to use an HTML content wrapper. I mean >> something like >> >> Index: >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> =================================================================== >> --- >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> (revision 1712951) >> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.f >> +++ t >> +++ l (working copy) >> @@ -63,6 +63,7 @@ >> <#assign prodCatMem = requestAttributes.productCategoryMember> >> </#if> >> <#assign smallImageUrl = >> productContentWrapper.get("SMALL_IMAGE_URL", "url")!> >> + <#assign productDescription = >> + productContentWrapper.get("DESCRIPTION", "html")> >> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if> >> <#-- end variable setup --> >> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@ >> <img src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" alt="Small Image"/><br /> >> ${uiLabelMap.ProductProductId} : ${product.productId!}<br /> >> ${uiLabelMap.ProductProductName} : ${product.productName!}<br /> >> - ${uiLabelMap.CommonDescription} : ${product.description!} >> + ${uiLabelMap.CommonDescription} : >> + ${productDescription!} >> </td> >> </tr> >> </table> >> >> I hope I'm clear now, see my proposed patch at OFBIZ-6669 >> >> Jacques >> >> >> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : >>> Hi Jacques, >>> >>> thanks for the quick answer. >>> >>> Just for me to understand :) : >>> >>> I have the following content from DB: <p>Test</p> Shouldn't the >>> sanatizer remove/sanatize tags that are not in the allow policy? So >>> from my understanding with the example "<p>Test</p>" it should >>> result in "" if the p-tag is not allowed. My result is that the >>> whole tag is rendered as text with the markup-tag <p> >>> >>> Best regards, >>> Ingo >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Jacques Le Roux [mailto:[hidden email]] >>> Gesendet: Freitag, 6. November 2015 16:32 >>> An: [hidden email] >>> Betreff: Re: Render HTML markup in Freemarker >>> >>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 >>> >>> I see only one solution: use also the content.sanitize properties >>> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded). >>> This also means that you are then assuming your code is sensible to >>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing. >>> >>> I will code that soon... >>> >>> Jacques >>> >>> >>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >>>> Hi everybody, >>>> >>>> I am trying to display text content with embedded HTML markup tags: >>>> >>>> <p>Test</p> >>>> >>>> I tried >>>> ${productContentWrapper.get("DESCRIPTION","html") >>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >>>> )) >>>> >>>> For some reason it does print the text including the markup tags. >>>> >>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: >>>> did I miss something in the configuration. >>>> >>>> Thanks for any hint. >>>> Best regards >>>> Ingo >>>> > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |