[jira] Created: (OFBIZ-2231) Escaped ampersands in xml import need to be reencoded

Escaped  ampersands in xml import need to be reencoded
------------------------------------------------------

                 Key: OFBIZ-2231
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2231
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: SVN trunk
         Environment: Windows XP
            Reporter: Stephen Rufle
             Fix For: SVN trunk


 While trying to import
<PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873" countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve" address2="100 Some Ave" address1="First&amp;Broadway"/>

got the following exception. I think that the recent security stuff encodes the xml so it is no longer valid during the reader.parse call in org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...)

My solution is to make a call to
xmltext= StringUtil.replaceString(xmltext, "&", "&amp;");
before reader.parse is called

An error occurred saving the data, rolling back transaction (true)
Exception: org.xml.sax.SAXException
Message: Error storing value
---- stack trace ---------------------------------------------------------------
org.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:PartyRelationship][createdStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][createdTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][fromDate,2006-08-01 00:00:00.0(java.sql.Timestamp)][lastUpdatedStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][lastUpdatedTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][partyIdFrom,ACT-223(java.lang.String)][partyIdTo,SHP-223-0(java.lang.String)][partyRelationshipTypeId,GROUP_ROLLUP(java.lang.String)][roleTypeIdFrom,ACCOUNT(java.lang.String)][roleTypeIdTo,SHIP_TO_CUSTOMER(java.lang.String)] (SQL Exception while executing the following:INSERT INTO OFBIZ.PARTY_RELATIONSHIP (PARTY_ID_FROM, PARTY_ID_TO, ROLE_TYPE_ID_FROM, ROLE_TYPE_ID_TO, FROM_DATE, THRU_DATE, STATUS_ID, RELATIONSHIP_NAME, SECURITY_GROUP_ID, PRIORITY_TYPE_ID, PARTY_RELATIONSHIP_TYPE_ID, PERMISSIONS_ENUM_ID, POSITION_TITLE, COMMENTS, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'PARTY_RELATIONSHIP' caused a violation of foreign key constraint 'PARTY_REL_FPROLE' for key (ACT-223,ACCOUNT).  The statement has been rolled back.))
org.ofbiz.entity.util.EntitySaxReader.endElement(EntitySaxReader.java:426)
javolution.xml.sax.XMLReaderImpl.parseAll(Unknown Source)
javolution.xml.sax.XMLReaderImpl.parse(Unknown Source)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:258)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:209)
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(WebToolsServices.java:459)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webtools.WebToolsServices.entityImport(WebToolsServices.java:203)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:328)
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:530)
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:328)
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:201)
org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:77)
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:259)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
org.ofbiz.catalina.container.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:44)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
java.lang.Thread.run(Unknown Source)
---------------------------------------------------------------

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Rufle updated OFBIZ-2231:
---------------------------------

    Attachment: 2009-03-06_WidgetWorker.patch

Adds
xmltext= StringUtil.replaceString(xmltext, "&", "&amp;");
to
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...)  before calling reader.parse(xmltext)


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Rufle updated OFBIZ-2231:
---------------------------------

    Attachment:     (was: 2009-03-06_WidgetWorker.patch)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Rufle updated OFBIZ-2231:
---------------------------------

    Attachment: 2009-03-06_WebToolsServices.patch

Adds
xmltext= StringUtil.replaceString(xmltext, "&", "&amp;");
to
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...)  before calling reader.parse(xmltext)

Previously added wrong patch file.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679735#action_12679735 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

Hi Stephen,

To make your comments more clear, in such case please use the \{code\} tag around code with HTML entities in. Else they will show as normal characters, here for instance

{code}xmltext= StringUtil.replaceString(xmltext, "&", "\&amp;");{code}

(I escaped the { using \ to show you \{code\}  in the 1st line)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679739#action_12679739 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

BTW, I think & is not the sole concerned character (could be some ', < and >, and maybe more and we should better treat all of them in the same place. So I suggest to use StringUtil.htmlEncoder instead.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679741#action_12679741 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

Forget it, I just tried this not a good solution : of course all get encoded and it does not work. I wonder if we should not better consider that every special characters in text (ie between double quote in value="") should be encoded before trying to import them...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Rufle updated OFBIZ-2231:
---------------------------------

    Description:
 While trying to import
{code:xml}
<PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873"
countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve"
 address2="100 Some Ave" address1="First&amp;Broadway"/>
{code}
got the following exception. I think that the recent security stuff encodes the xml so it is no longer valid during the reader.parse call in org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...)

My solution is to make a call to
{code}
xmltext= StringUtil.replaceString(xmltext, "&", "\&amp;");
{code}
before reader.parse is called

{code}
An error occurred saving the data, rolling back transaction (true)
Exception: org.xml.sax.SAXException
Message: Error storing value
---- stack trace ---------------------------------------------------------------
org.ofbiz.entity.GenericEntityException: Error while inserting:
[GenericEntity:PartyRelationship]...
javolution.xml.sax.XMLReaderImpl.parseAll(Unknown Source)
javolution.xml.sax.XMLReaderImpl.parse(Unknown Source)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:258)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:209)
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(WebToolsServices.java:459)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webtools.WebToolsServices.entityImport(WebToolsServices.java:203)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:328)
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:530)
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:328)
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:201)
org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:77)
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:259)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
org.ofbiz.catalina.container.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:44)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
java.lang.Thread.run(Unknown Source)
---------------------------------------------------------------
{code}

  was:
 While trying to import
<PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873" countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve" address2="100 Some Ave" address1="First&amp;Broadway"/>

got the following exception. I think that the recent security stuff encodes the xml so it is no longer valid during the reader.parse call in org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(...)

My solution is to make a call to
xmltext= StringUtil.replaceString(xmltext, "&", "&amp;");
before reader.parse is called

An error occurred saving the data, rolling back transaction (true)
Exception: org.xml.sax.SAXException
Message: Error storing value
---- stack trace ---------------------------------------------------------------
org.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:PartyRelationship][createdStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][createdTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][fromDate,2006-08-01 00:00:00.0(java.sql.Timestamp)][lastUpdatedStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][lastUpdatedTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][partyIdFrom,ACT-223(java.lang.String)][partyIdTo,SHP-223-0(java.lang.String)][partyRelationshipTypeId,GROUP_ROLLUP(java.lang.String)][roleTypeIdFrom,ACCOUNT(java.lang.String)][roleTypeIdTo,SHIP_TO_CUSTOMER(java.lang.String)] (SQL Exception while executing the following:INSERT INTO OFBIZ.PARTY_RELATIONSHIP (PARTY_ID_FROM, PARTY_ID_TO, ROLE_TYPE_ID_FROM, ROLE_TYPE_ID_TO, FROM_DATE, THRU_DATE, STATUS_ID, RELATIONSHIP_NAME, SECURITY_GROUP_ID, PRIORITY_TYPE_ID, PARTY_RELATIONSHIP_TYPE_ID, PERMISSIONS_ENUM_ID, POSITION_TITLE, COMMENTS, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'PARTY_RELATIONSHIP' caused a violation of foreign key constraint 'PARTY_REL_FPROLE' for key (ACT-223,ACCOUNT).  The statement has been rolled back.))
org.ofbiz.entity.util.EntitySaxReader.endElement(EntitySaxReader.java:426)
javolution.xml.sax.XMLReaderImpl.parseAll(Unknown Source)
javolution.xml.sax.XMLReaderImpl.parse(Unknown Source)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:258)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:209)
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(WebToolsServices.java:459)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webtools.WebToolsServices.entityImport(WebToolsServices.java:203)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webapp.event.ServiceEventHandler.invoke(ServiceEventHandler.java:328)
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:530)
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:328)
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:201)
org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:77)
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:259)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
org.ofbiz.catalina.container.CrossSubdomainSessionValve.invoke(CrossSubdomainSessionValve.java:44)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
java.lang.Thread.run(Unknown Source)
---------------------------------------------------------------


Added formatting

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679742#action_12679742 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

Or better if we could automatically encode only values (I guess later in the process...)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679750#action_12679750 ]

Stephen Rufle commented on OFBIZ-2231:
--------------------------------------

The limiting factor seems to be that we have to treat it as plain text
because it has already been run through the security stuff. Would it be
possible to allow for a certain URL to be excluded from the security check?


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679756#action_12679756 ]

David E. Jones commented on OFBIZ-2231:
---------------------------------------

What does this have to do with encoding? It looks like what is below was the error (not sure why you deleted it from your comment, it was in your original one).

That error is a foreign key exception. In other words, you're referring to data that doesn't exist.

======================================

org.ofbiz.entity.GenericEntityException: Error while inserting: [GenericEntity:PartyRelationship][createdStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][createdTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][fromDate,2006-08-01 00:00:00.0(java.sql.Timestamp)][lastUpdatedStamp,2009-03-06 14:02:21.344(java.sql.Timestamp)][lastUpdatedTxStamp,2009-03-06 14:02:21.327(java.sql.Timestamp)][partyIdFrom,ACT-223(java.lang.String)][partyIdTo,SHP-223-0(java.lang.String)][partyRelationshipTypeId,GROUP_ROLLUP(java.lang.String)][roleTypeIdFrom,ACCOUNT(java.lang.String)][roleTypeIdTo,SHIP_TO_CUSTOMER(java.lang.String)] (SQL Exception while executing the following:INSERT INTO OFBIZ.PARTY_RELATIONSHIP (PARTY_ID_FROM, PARTY_ID_TO, ROLE_TYPE_ID_FROM, ROLE_TYPE_ID_TO, FROM_DATE, THRU_DATE, STATUS_ID, RELATIONSHIP_NAME, SECURITY_GROUP_ID, PRIORITY_TYPE_ID, PARTY_RELATIONSHIP_TYPE_ID, PERMISSIONS_ENUM_ID, POSITION_TITLE, COMMENTS, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP, CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'PARTY_RELATIONSHIP' caused a violation of foreign key constraint 'PARTY_REL_FPROLE' for key (ACT-223,ACCOUNT).  The statement has been rolled back.))



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679766#action_12679766 ]

Stephen Rufle commented on OFBIZ-2231:
--------------------------------------

I think I must have miscopied the original error. The issue I saw was
with an {code}\&amp;{code} being in the contents of the attribute
{code}address1="First\&amp;Broadway"{code}
when I looked at the contents of xmltext in parseEntityXmlFile it was
turned into a \& char. I had attributed this behavior to the security
stuff that was going on and thought I would just turn it back into what
the parse would accept as legal.

{code}
---- exception report
----------------------------------------------------------
An error occurred saving the data, rolling back transaction (true)
Exception: org.xml.sax.SAXException
Message: ';' expected
---- stack trace
---------------------------------------------------------------
javolution.xml.stream.XMLStreamException: ';' expected (at line 1, column 0)
javolution.xml.sax.XMLReaderImpl.parse(Unknown Source)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:258)
org.ofbiz.entity.util.EntitySaxReader.parse(EntitySaxReader.java:209)
org.ofbiz.webtools.WebToolsServices.parseEntityXmlFile(WebToolsServices.java:459)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
java.lang.reflect.Method.invoke(Unknown Source)
org.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:96)
org.ofbiz.service.engine.StandardJavaEngine.runSync(StandardJavaEngine.java:54)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:384)
org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:213)
org.ofbiz.service.GenericDispatcher.runSync(GenericDispatcher.java:148)
org.ofbiz.webtools.WebToolsServices.entityImport(WebToolsServices.java:203)
{code}


--
Stephen P Rufle
[hidden email]
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12682718#action_12682718 ]

Stephen Rufle commented on OFBIZ-2231:
--------------------------------------

Is there anything I can do to get my patch accepted? Jacques made mention of other char that may need to be encoded. I think David was concerned that a fixed an issue that was not really broken.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-2231:
--------------------------------------

    Assignee: Jacques Le Roux

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12682938#action_12682938 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

I will have a look...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12682943#action_12682943 ]

David E. Jones commented on OFBIZ-2231:
---------------------------------------

Jacques: if you're going to have a look, please make sure to find the cause of the problem instead of fixing the symptom, which is all this patch does.

This patch is NOT a solution to the problem IMO, it will cause other problems in other scenarios and doesn't fix whatever the underlying cause of this is. Basically to make progress on this we'll have to reproduce the issue (which doesn't seem too hard) and see what is behaving in an undesirable way.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

I am looking at this now. Seems that

org.ofbiz.base.util.UtilHttp.canonicalizeParameter(String)
gets called  on the fulltext parameter value. That is when it goes from
the on screen value of \&amp; to an actual &. I will look further into
how we might prevent this.


David E. Jones (JIRA) wrote:
--
Stephen P Rufle
[hidden email]
H1:480-626-8022
H2:480-802-7173
Yahoo IM: stephen_rufle
AOL IM: stephen1rufle

Hi Stephen,

Don't take it personnaly, but I think it's better to keep this kind of comments in Jira issues ; easier to follow and track back ;o)

Thanks

Jacques

From: "Stephen Rufle" <[hidden email]>

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12683138#action_12683138 ]

Jacques Le Roux commented on OFBIZ-2231:
----------------------------------------

From Stephen Rufle on dev ML
{quote}
I am looking at this now. Seems that

org.ofbiz.base.util.UtilHttp.canonicalizeParameter(String)
gets called  on the fulltext parameter value. That is when it goes from
the on screen value of \&amp; to an actual &. I will look further into
how we might prevent this.
{quote}

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12683496#action_12683496 ]

Stephen Rufle commented on OFBIZ-2231:
--------------------------------------


When  the following PostalAddress
{code:xml}
<PostalAddress toName="To" stateProvinceGeoId="NJ" postalCode="08873"
countryGeoId="USA" contactMechId="001" city="SOMERSET" attnName="Steve"
 address2="100 Some Ave" address1="First&amp;Broadway"/>
{code}

 is imported using the textarea  on /webtools/control/EntityImport the
"fulltext" parameter ultimately gets encoded using

 {code}org.owasp.esapi.Encoder.canonicalize(String s, boolean flag){code}

After the call the embedded
{code}"\&amp;" gets turned into "&"{code}

Then in
{code}org.ofbiz.webtools.WebToolsServices.entityImport(DispatchContext, Map<String, ? extends Object>){code}
it needs to be undone to get the XML parser to be happy. Any XML parser will have issues with stray \& symbols.
So I am not sure what the solution is. The security reasons for canonicalize call outweigh this issue, so I would
not want to not canonicalize parameter values, but it seems to me that we have to undo whatever was done to this very specific parameter before it can be passed to the
{code}
org.ofbiz.entity.util.EntitySaxReader.parse(String)
{code}
method

So I would like to vote that my solution is suitable for this particular case
David: "... it will cause other problems in other scenarios ..."
Is the worry that there are other cases that we will need to handle xml being passed in a field and this same
re-encoding will need to be done many different places.
 
My other proposed solution would be to create a new method that can be called on the text that turns it back into
suitable XML for parsing.Where right now I guess I am just in-lining that functionality.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.