OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-11907) WidgetWorker should not write generated html to Appendable

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-11907) WidgetWorker should not write generated html to Appendable

[ https://issues.apache.org/jira/browse/OFBIZ-11907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169835#comment-17169835 ]

ASF subversion and git services commented on OFBIZ-11907:
---------------------------------------------------------

Commit e8dd3c609cd50d757bf0db8263f5ca14c00d2f0f in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=e8dd3c6 ]

Fixed: Server-Side Template Injection using Static (OFBIZ-11871)

Thanks to Alvaro's explanations, the problem was in MacroFormRenderer where, for
lookups, we retrieve _LAST_VIEW_NAME_ as a parameter without encoding it.

I have added getEncodedParameter method in UtilHttp and removed now useless
(after OFBIZ-11907) getEnvironment from MacroFormRenderer.java

Thanks: Alvaro for advice

> WidgetWorker should not write generated html to Appendable
> ----------------------------------------------------------
>
> Key: OFBIZ-11907
> URL: https://issues.apache.org/jira/browse/OFBIZ-11907
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/widget
> Reporter: Daniel Watford
> Assignee: Daniel Watford
> Priority: Minor
> Fix For: Upcoming Branch
>
>
> WidgetWorker is used to create URLs, anchor links and hidden forms (to support hidden-form links).
> WidgetWorker doesn't just generate these elements but it also writes those elements to an Appendable object normally passed to it from classes like MacroScreenRenderer and MacroFormRenderer.
> Requiring that an Appendable is passed to WidgetWorker unnecessarily forces behaviour onto the calling classes, when all that is really required is for the WidgetWorker to create the elements it has been asked. Calling classes can write the created elements to I/O as they see fit.
> Further, WidgetWorker produces HTML elements rendered to string. By doing this WidgetWorker has assumed knowledge about how the elements are to be used (i.e. within an FTL macro parameter call) and has to apply appropriate encoding.
> Rather than rendering a string, WidgetWorker should create data structures, such as JSoup's elements, to represent the requested elements. The calling classes can then decide how/where to render the elements.
> The above changes are deemed necessary to allow the refactoring of MacroFormRenderer to proceed, as otherwise MacroFormRenderer will have to ensure knowledge of where elements are to be rendered is maintained in order for this information to be passed to WidgetWorker. This is not in-line with the refactoring efforts targeting MacroFormRenderer.
> This changes will reduce the responsibilities of WidgetWorker. It shall be responsible for creating data structures to represent requested elements, without needing to know how to render those elements to a string or other I/O channel.
>

--
This message was sent by Atlassian Jira
(v8.3.4#803005)