[jira] [Created] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
Locked
[jira] [Created] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
 
|
Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error
-------------------------------------------------------------------------- Key: OFBIZ-4316 URL: https://issues.apache.org/jira/browse/OFBIZ-4316 Project: OFBiz Issue Type: Bug Reporter: BJ Freeman from the ForumScreens.xml#ViewForumMessage [code] <container style="forumtext"> <label>${contentText}</label> [code] show escaped html [code] * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> [code] replacing [code]<label>${contentText}</label>[code] with [code]${StringUtil.wrapString(contentText).toString()}[code] give this error 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] XmlFileLoader: File file:specialpurpose/ecommerce/widget/ForumScreens.xml process error. Line: 151. Error message: cvc-complex-type.2.3: Element 'condition' cannot have character [children], because the type's content type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Updated] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] BJ Freeman updated OFBIZ-4316: ------------------------------ Component/s: specialpurpose/ecommerce framework content Fix Version/s: SVN trunk Description: from the ForumScreens.xml#ViewForumMessage {code} <container style="forumtext"> <label>${contentText}</label> {code} show escaped html {code} * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> {code} replacing {code}<label>${contentText}</label>{code} with {code}${StringUtil.wrapString(contentText).toString()}{code} give this error 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] XmlFileLoader: File file:specialpurpose/ecommerce/widget/ForumScreens.xml process error. Line: 151. Error message: cvc-complex-type.2.3: Element 'condition' cannot have character [children], because the type's content type is element-only. was: from the ForumScreens.xml#ViewForumMessage [code] <container style="forumtext"> <label>${contentText}</label> [code] show escaped html [code] * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> [code] replacing [code]<label>${contentText}</label>[code] with [code]${StringUtil.wrapString(contentText).toString()}[code] give this error 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] XmlFileLoader: File file:specialpurpose/ecommerce/widget/ForumScreens.xml process error. Line: 151. Error message: cvc-complex-type.2.3: Element 'condition' cannot have character [children], because the type's content type is element-only. Affects Version/s: SVN trunk used wrong tag for code > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13050194#comment-13050194 ] BJ Freeman commented on OFBIZ-4316: ----------------------------------- quick work around is to use {code} <platform-specific><html><html-template location="component://publicface/webapp/publicfacemain/forum/workaroundmsg.ftl"/></html></platform-specific> {code} > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13050199#comment-13050199 ] BJ Freeman commented on OFBIZ-4316: ----------------------------------- also check the trunk demo just to be sure, that the code had not been changed since my version. > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13050887#comment-13050887 ] BJ Freeman commented on OFBIZ-4316: ----------------------------------- I am using a ftl with ${StringUtil.wrapString(contentText)} https://issues.apache.org/jira/browse/OFBIZ-4318 is the bug about no recored being generated but this has to do with the stringUtil handling that problem so put this here {code} 2011-06-16 20:23:26,453 (TP-Processor36) [ RequestHandler.java:741:INFO ] Rendering View [ViewForumMessage], sessionId=ED6F3D30F1C23C6DBA1C64EC46B2534A.jvm1 2011-06-16 20:23:26,460 (TP-Processor36) [ PrimaryKeyFinder.java:153:INFO ] Returning null because found incomplete primary key in find: [GenericEntity:ElectronicText][dataResourceId,null()] 2011-06-16 20:23:26,696 (TP-Processor36) [ Log4JLoggerFactory.java:96 :ERROR] Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. The problematic instruction: ---------- ==> ${StringUtil.wrapString(contentText)} [on line 2, column 1 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl] ---------- Java backtrace for programmers: ---------- freemarker.core.InvalidReferenceException: Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:124) at freemarker.core.Expression.getStringValue(Expression.java:118) at freemarker.core.Expression.getStringValue(Expression.java:93) at freemarker.core.DollarVariable.accept(DollarVariable.java:76) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.MixedContent.accept(MixedContent.java:92) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.Environment.process(Environment.java:189) at org.ofbiz.base.util.template.FreeMarkerWorker.renderTemplate(FreeMarkerWorker.java:216) at org.ofbiz.widget.screen.HtmlWidget.renderHtmlTemplate(HtmlWidget.java:205) at org.ofbiz.widget.screen.HtmlWidget$HtmlTemplate.renderWidgetString(HtmlWidget.java:250) at org.ofbiz.widget.screen.HtmlWidget.renderWidgetString(HtmlWidget.java:110) at org.ofbiz.widget.screen.ModelScreenWidget$PlatformSpecific.renderWidgetString(ModelScreenWidget.java:971) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSection.renderWidgetString(ModelScreenWidget.java:669) at org.ofbiz.widget.screen.ModelScreenWidget$SectionsRenderer.render(ModelScreenWidget.java:125) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSectionInclude.renderWidgetString(ModelScreenWidget.java:702) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorScreen.renderWidgetString(ModelScreenWidget.java:636) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:135) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:97) at org.ofbiz.widget.screen.ScreenWidgetViewHandler.render(ScreenWidgetViewHandler.java:101) at org.ofbiz.webapp.control.RequestHandler.renderView(RequestHandler.java:839) at org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:559) at org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:227) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at php.java.servlet.PhpCGIFilter.doFilter(PhpCGIFilter.java:126) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:268) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:636) {code} > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13050907#comment-13050907 ] David E. Jones commented on OFBIZ-4316: --------------------------------------- When FreeMarker says that an expression "is undefined" if often means that the expression evaluated to null. If you don't want FreeMarker to blow up like this for null values, add the "?if_exists" built-in. In general I highly recommend the documentation for FTL at: www.freemarker.org > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Closed] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Scott Gray closed OFBIZ-4316. ----------------------------- Resolution: Invalid The label widget currently doesn't support disabling encoding, it isn't a bug but instead just an improvement required. When you originally asked how to prevent encoding I assumed you were referring to within a freemarker template, that's why I suggested using StringUtil.wrapString() but it isn't intended or supported for use in expandable widget fields. Also, the forum content should never be rendered unencoded because it opens up XSS vulnerabilities by allowing users to post malicious html/js content. > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4316) Widget $() escapes HTML. StringUtil.wrapString(contentT
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13053375#comment-13053375 ] BJ Freeman commented on OFBIZ-4316: ----------------------------------- thanks for the clarification. however for formus I run they are moderated. so malicious html/js content is not possible. I do understand that ofbiz must go for worst case. > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |