XSS Exploit Countermeasures / Escaping Characters
Locked
 
|
WARNING: I am a newbie, so some of this may seem pretty disjointed.
I've been going through the "Apache OFBiz Development: The Beginners Tutorial" book. I know that my first problem was that the book is written for the release 4.0, and I'm working in 9.04. I thought resolving the discrepancies would be a valuable part of my education. Here's the problem I'm dealing with: My HTML tags are showing up when they shouldn't be. I'm smart enough to figure out that this relates the to XSS countermeasures that you guys are rolling out. I've been searching the forums, but all I find for guidance is a bunch of threads about how to suppress the countermeasures (I'll admit that I probably don't have the vocabulary to search intelligently). I don't want to do that; I just want to figure out how to make it work the way you've designed it. Can someone PLEASE walk me through a real-world example? I went into the OOTB code looking for a model and found that the blog capability in the ecommerce app hasn't been retrofitted yet - the HTML tags are showing up in "Big Al's" blog just like they do in my practice app. I'm asking for one of two things: Please either tell me the steps I would take to fix Big Al's blog or direct me to a comparable file where I can do side-by-side comparison of new world (literals escaped) vs. old world (Big Al). Thank you very much in advance for any help you can provide. Judd |
Re: XSS Exploit Countermeasures / Escaping Characters
|
|
Depending on what you mean by "countermeasures" that may be exactly what you're looking for. The idea is that with FTL files ALL String variables are HTML encoded in order to avoid XSS problems (like you mentioned) and also to avoid misinterpreted output. When a variable is meant to have HTML in it and you don't want it encoded (not the default, but certainly acceptable in some cases) then you should use the StringUtil.wrapString() call, like in the example you've probably found: <div>${StringUtil.wrapString(productPromo.promoText?if_exists)}</div> What would be nice is if there was some more obvious way to do this, like if FTL had a built-in to tell it NOT to do HTML encoding that we could override to do this same things (ie like promoText?no_html), but there's only so much we can do with it. -David On Jun 10, 2009, at 8:06 PM, juddco wrote: > > WARNING: I am a newbie, so some of this may seem pretty disjointed. > > I've been going through the "Apache OFBiz Development: The Beginners > Tutorial" book. I know that my first problem was that the book is > written > for the release 4.0, and I'm working in 9.04. I thought resolving the > discrepancies would be a valuable part of my education. > > Here's the problem I'm dealing with: My HTML tags are showing up > when they > shouldn't be. I'm smart enough to figure out that this relates the > to XSS > countermeasures that you guys are rolling out. I've been searching > the > forums, but all I find for guidance is a bunch of threads about how to > suppress the countermeasures (I'll admit that I probably don't have > the > vocabulary to search intelligently). I don't want to do that; I > just want > to figure out how to make it work the way you've designed it. > > Can someone PLEASE walk me through a real-world example? I went > into the > OOTB code looking for a model and found that the blog capability in > the > ecommerce app hasn't been retrofitted yet - the HTML tags are > showing up in > "Big Al's" blog just like they do in my practice app. > > I'm asking for one of two things: Please either tell me the steps I > would > take to fix Big Al's blog or direct me to a comparable file where I > can do > side-by-side comparison of new world (literals escaped) vs. old > world (Big > Al). > > Thank you very much in advance for any help you can provide. > > Judd > -- > View this message in context: http://www.nabble.com/XSS-Exploit-Countermeasures---Escaping-Characters-tp23974171p23974171.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
|
|
In reply to this post by juddco
Hi all,
I've a question regarding the sales orders from POS. We have a product store with "Is Immediately Fulfilled" set to NO. After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. Is there an easy way to perform that task from the GUI ? Thanks in advance, Deyan |
Re: POS sales order completion
Administrator
|
It seems you know that the POS is OOTB designed to work with "Is Immediately Fulfilled" set to YES.
So you must have a good reason to do so. But I'm afraid there are currently no easy solutions for your pb Jacques From: "Deyan Tsvetanov" <[hidden email]> > Hi all, > > I've a question regarding the sales orders from POS. > > We have a product store with "Is Immediately Fulfilled" set to NO. > > After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI > how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. > > Is there an easy way to perform that task from the GUI ? > > Thanks in advance, > Deyan > |
Re: POS sales order completion
|
|
Well, my current problem is that that particular sale was made without
"Is Immediately Fulfilled" set to YES. So i'm trying to find an easy way to fix it :) Otherwise sometimes it could happen that you don't want to immediately fulfill the order. I'll give you an example: The goods you buy may need to be prepared or taken out of the warehouse and either shipped to you or given to you after you pay. Some furniture stores do sales this way. Or a computer store - you choose a computer system, the POS clerk asks you for some configuration questions ( like HDD, RAM, etc ) and submits the order. You pay. The order goes to the warehouse where the workers actually add more ram, pack the system and bring it to you in the waiting room in 10 minutes. Anyway - it's just an example. The current issue for me is to complete that single order which was created this way by mistake. I'll check the source code in the PaymentEvents.java and the services the POS software calls and will finalize it manually. I just wanted to know if there is an easy way to do it from the GUI as I couldn't find anything. Thanks, Deyan -----Original Message----- From: Jacques Le Roux <[hidden email]> Reply-to: "Jacques Le Roux" <[hidden email]> To: [hidden email] Subject: Re: POS sales order completion Date: Fri, 25 Sep 2009 12:02:43 +0200 It seems you know that the POS is OOTB designed to work with " set to YES. So you must have a good reason to do so. But I'm afraid there are currently no easy solutions for your pb Jacques From: "Deyan Tsvetanov" <[hidden email]> > Hi all, > > I've a question regarding the sales orders from POS. > > We have a product store with "Is Immediately Fulfilled" set to NO. > > After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI > how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. > > Is there an easy way to perform that task from the GUI ? > > Thanks in advance, > Deyan > |
Re: POS sales order completion
|
Administrator
|
Hi Deyan,
There are still some features missing in the POS, I agree. For the moment, in such cases you may use the order manager.. Jacques From: "Deyan Tsvetanov" <[hidden email]> > Well, my current problem is that that particular sale was made without > "Is Immediately Fulfilled" set to YES. > So i'm trying to find an easy way to fix it :) > > Otherwise sometimes it could happen that you don't want to immediately > fulfill the order. I'll give you an example: > The goods you buy may need to be prepared or taken out of the warehouse > and either shipped to you or given to you after you pay. > Some furniture stores do sales this way. Or a computer store - you > choose a computer system, the POS clerk asks you for some > configuration questions ( like HDD, RAM, etc ) and submits the order. > You pay. The order goes to the warehouse where the workers > actually add more ram, pack the system and bring it to you in the > waiting room in 10 minutes. > > Anyway - it's just an example. The current issue for me is to complete > that single order which was created this way by mistake. > I'll check the source code in the PaymentEvents.java and the services > the POS software calls and will finalize it manually. I just wanted to > know > if there is an easy way to do it from the GUI as I couldn't find > anything. > > Thanks, > Deyan > > -----Original Message----- > From: Jacques Le Roux <[hidden email]> > Reply-to: "Jacques Le Roux" <[hidden email]> > To: [hidden email] > Subject: Re: POS sales order completion > Date: Fri, 25 Sep 2009 12:02:43 +0200 > > > It seems you know that the POS is OOTB designed to work with " set to YES. > So you must have a good reason to do so. But I'm afraid there are currently no easy solutions for your pb > > Jacques > > From: "Deyan Tsvetanov" <[hidden email]> >> Hi all, >> >> I've a question regarding the sales orders from POS. >> >> We have a product store with "Is Immediately Fulfilled" set to NO. >> >> After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI >> how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. >> >> Is there an easy way to perform that task from the GUI ? >> >> Thanks in advance, >> Deyan >> > > |
Re: POS sales order completion
|
|
My question was exactly about the order manager - is there a way to
complete the order using the order manager :) I'm not complaining - just asking for a shortcut :) -----Original Message----- From: Jacques Le Roux <[hidden email]> Reply-to: "Jacques Le Roux" <[hidden email]> To: [hidden email] Subject: Re: POS sales order completion Date: Fri, 25 Sep 2009 14:22:07 +0200 Hi Deyan, There are still some features missing in the POS, I agree. For the moment, in such cases you may use the order manager.. Jacques From: "Deyan Tsvetanov" <[hidden email]> > Well, my current problem is that that particular sale was made without > "Is Immediately Fulfilled" set to YES. > So i'm trying to find an easy way to fix it :) > > Otherwise sometimes it could happen that you don't want to immediately > fulfill the order. I'll give you an example: > The goods you buy may need to be prepared or taken out of the warehouse > and either shipped to you or given to you after you pay. > Some furniture stores do sales this way. Or a computer store - you > choose a computer system, the POS clerk asks you for some > configuration questions ( like HDD, RAM, etc ) and submits the order. > You pay. The order goes to the warehouse where the workers > actually add more ram, pack the system and bring it to you in the > waiting room in 10 minutes. > > Anyway - it's just an example. The current issue for me is to complete > that single order which was created this way by mistake. > I'll check the source code in the PaymentEvents.java and the services > the POS software calls and will finalize it manually. I just wanted to > know > if there is an easy way to do it from the GUI as I couldn't find > anything. > > Thanks, > Deyan > > -----Original Message----- > From: Jacques Le Roux <[hidden email]> > Reply-to: "Jacques Le Roux" <[hidden email]> > To: [hidden email] > Subject: Re: POS sales order completion > Date: Fri, 25 Sep 2009 12:02:43 +0200 > > > It seems you know that the POS is OOTB designed to work with " set to YES. > So you must have a good reason to do so. But I'm afraid there are currently no easy solutions for your pb > > Jacques > > From: "Deyan Tsvetanov" <[hidden email]> >> Hi all, >> >> I've a question regarding the sales orders from POS. >> >> We have a product store with "Is Immediately Fulfilled" set to NO. >> >> After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI >> how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. >> >> Is there an easy way to perform that task from the GUI ? >> >> Thanks in advance, >> Deyan >> > > |
Re: POS sales order completion
|
Administrator
|
If "you" had begun with the order manager there would be no problems at all of course.
I have never crossed this case, so I can't give a good answer for this order. I guess you will have to get your hands dirty (ie Webtolls/ Entity Maintenance and such) Jacques From: "Deyan Tsvetanov" <[hidden email]> > My question was exactly about the order manager - is there a way to > complete the order using the order manager :) > I'm not complaining - just asking for a shortcut :) > > > -----Original Message----- > From: Jacques Le Roux <[hidden email]> > Reply-to: "Jacques Le Roux" <[hidden email]> > To: [hidden email] > Subject: Re: POS sales order completion > Date: Fri, 25 Sep 2009 14:22:07 +0200 > > > Hi Deyan, > > There are still some features missing in the POS, I agree. For the moment, in such cases you may use the order manager.. > > Jacques > > From: "Deyan Tsvetanov" <[hidden email]> >> Well, my current problem is that that particular sale was made without >> "Is Immediately Fulfilled" set to YES. >> So i'm trying to find an easy way to fix it :) >> >> Otherwise sometimes it could happen that you don't want to immediately >> fulfill the order. I'll give you an example: >> The goods you buy may need to be prepared or taken out of the warehouse >> and either shipped to you or given to you after you pay. >> Some furniture stores do sales this way. Or a computer store - you >> choose a computer system, the POS clerk asks you for some >> configuration questions ( like HDD, RAM, etc ) and submits the order. >> You pay. The order goes to the warehouse where the workers >> actually add more ram, pack the system and bring it to you in the >> waiting room in 10 minutes. >> >> Anyway - it's just an example. The current issue for me is to complete >> that single order which was created this way by mistake. >> I'll check the source code in the PaymentEvents.java and the services >> the POS software calls and will finalize it manually. I just wanted to >> know >> if there is an easy way to do it from the GUI as I couldn't find >> anything. >> >> Thanks, >> Deyan >> >> -----Original Message----- >> From: Jacques Le Roux <[hidden email]> >> Reply-to: "Jacques Le Roux" <[hidden email]> >> To: [hidden email] >> Subject: Re: POS sales order completion >> Date: Fri, 25 Sep 2009 12:02:43 +0200 >> >> >> It seems you know that the POS is OOTB designed to work with " set to YES. >> So you must have a good reason to do so. But I'm afraid there are currently no easy solutions for your pb >> >> Jacques >> >> From: "Deyan Tsvetanov" <[hidden email]> >>> Hi all, >>> >>> I've a question regarding the sales orders from POS. >>> >>> We have a product store with "Is Immediately Fulfilled" set to NO. >>> >>> After a sale is done a new sales order is being created for the store with status APPROVED. I can not find anywhere in the GUI >>> how to complete the order, so its status goes to COMPLETED, the items quantity is updated in the store facility and etc. >>> >>> Is there an easy way to perform that task from the GUI ? >>> >>> Thanks in advance, >>> Deyan >>> >> >> > > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |