svn commit: r1536324 - in /ofbiz/trunk: applications/accounting/servic
Locked
svn commit: r1536324 - in /ofbiz/trunk: applications/accounting/servic
 
|
Author: jleroux
Date: Mon Oct 28 12:12:43 2013 New Revision: 1536324 URL: http://svn.apache.org/r1536324 Log: Fixes <<Services allow arbitrary HTML for parameters with allow-html set to "safe">> https://issues.apache.org/jira/browse/OFBIZ-5254 After r751990, <<allow-html="any">> and <<allow-html="safe">> are the same: they do nothing! The only difference is the warning message from the OWASP Antisamy IntrusionDetector, which is both, as Christoph noted "giving you a false sense of security" or as I wrote "disturbing, wrong and useless". So there are no longer any reasons for differencing "safe" and "any". This * Deprecates "safe" (making it clear in the XSD documentation), keeping only "none" and "any". This is for backward compatibility, else we could completely remove the misleading "safe". Note that "none" is the default. * Replaces in services definition all allow-html="safe" by allow-html="any" * Remove from ModelService.java (near line 587) the code which throws the OWASP Antisamy IntrusionDetector message in log Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml ofbiz/trunk/applications/content/servicedef/services.xml ofbiz/trunk/applications/content/servicedef/services_content.xml ofbiz/trunk/applications/content/servicedef/services_data.xml ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml ofbiz/trunk/applications/order/servicedef/services.xml ofbiz/trunk/applications/order/servicedef/services_quote.xml ofbiz/trunk/applications/order/servicedef/services_request.xml ofbiz/trunk/applications/party/servicedef/services.xml ofbiz/trunk/applications/product/servicedef/services.xml ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml ofbiz/trunk/applications/workeffort/servicedef/services.xml ofbiz/trunk/framework/common/servicedef/services.xml ofbiz/trunk/framework/common/servicedef/services_email.xml ofbiz/trunk/framework/service/dtd/services.xsd ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Modified: ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml (original) +++ ofbiz/trunk/applications/accounting/servicedef/services_agreement.xml Mon Oct 28 12:12:43 2013 @@ -30,7 +30,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes include="pk" mode="OUT" optional="true"/> - <override name="textData" allow-html="safe"/> + <override name="textData" allow-html="any"/> </service> <service name="updateAgreement" default-entity-name="Agreement" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreement" auth="true"> @@ -38,7 +38,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textData" allow-html="safe"/> + <override name="textData" allow-html="any"/> </service> <service name="cancelAgreement" default-entity-name="Agreement" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="cancelAgreement" auth="true"> @@ -65,7 +65,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="pk" mode="INOUT" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="agreementText" allow-html="safe"/> + <override name="agreementText" allow-html="any"/> </service> <service name="updateAgreementItem" default-entity-name="AgreementItem" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreementItem" auth="true"> @@ -73,7 +73,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="agreementText" allow-html="safe"/> + <override name="agreementText" allow-html="any"/> </service> <service name="removeAgreementItem" default-entity-name="AgreementItem" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="removeAgreementItem" auth="true"> @@ -90,7 +90,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="CREATE"/> <auto-attributes include="pk" mode="INOUT" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textValue" allow-html="safe"/> + <override name="textValue" allow-html="any"/> </service> <service name="updateAgreementTerm" default-entity-name="AgreementTerm" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="updateAgreementTerm" auth="true"> @@ -98,7 +98,7 @@ under the License. <permission-service service-name="acctgAgreementPermissionCheck" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="textValue" allow-html="safe"/> + <override name="textValue" allow-html="any"/> </service> <service name="deleteAgreementTerm" default-entity-name="AgreementTerm" engine="simple" location="component://accounting/script/org/ofbiz/accounting/agreement/AgreementServices.xml" invoke="deleteAgreementTerm" auth="true"> Modified: ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml (original) +++ ofbiz/trunk/applications/accounting/servicedef/services_invoice.xml Mon Oct 28 12:12:43 2013 @@ -56,8 +56,8 @@ under the License. <override name="invoiceTypeId" mode="IN" optional="false"/> <override name="partyIdFrom" mode = "IN" optional="false"/> <override name="partyId" mode = "IN" optional="false"/> - <override name="description" allow-html="safe"/> - <override name="invoiceMessage" allow-html="safe"/> + <override name="description" allow-html="any"/> + <override name="invoiceMessage" allow-html="any"/> </service> <service name="copyInvoice" engine="simple" default-entity-name="Invoice" location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="copyInvoice"> @@ -80,8 +80,8 @@ under the License. <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> <auto-attributes mode="IN" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> - <override name="description" allow-html="safe"/> - <override name="invoiceMessage" allow-html="safe"/> + <override name="description" allow-html="any"/> + <override name="invoiceMessage" allow-html="any"/> </service> <service name="setInvoiceStatus" engine="simple" location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="setInvoiceStatus"> @@ -117,7 +117,7 @@ under the License. <auto-attributes mode="IN" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> <override name="invoiceItemSeqId" mode="INOUT" optional="true"/><!-- will optionally be assigned by the system --> - <override name="description" allow-html="safe"/> + <override name="description" allow-html="any"/> </service> <service name="updateInvoiceItem" engine="simple" default-entity-name="InvoiceItem" location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="updateInvoiceItem"> @@ -125,7 +125,7 @@ under the License. <permission-service service-name="acctgInvoicePermissionCheck" main-action="UPDATE"/> <auto-attributes mode="INOUT" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> - <override name="description" allow-html="safe"/> + <override name="description" allow-html="any"/> </service> <service name="removeInvoiceItem" engine="simple" default-entity-name="InvoiceItem" location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="removeInvoiceItem"> @@ -276,7 +276,7 @@ under the License. <attribute name="sendTo" type="String" mode="IN" optional="false"/> <attribute name="sendCc" type="String" mode="IN" optional="true"/> <attribute name="subject" type="String" mode="IN" optional="true"/> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="other" type="String" mode="IN" optional="true"/><!-- to send the invoice in the 'other' currency (y) --> </service> <service name="checkInvoicePaymentApplications" engine="java" @@ -412,7 +412,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -422,7 +422,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="isInvoiceInForeignCurrency" engine="simple" location="component://accounting/script/org/ofbiz/accounting/invoice/InvoiceServices.xml" invoke="isInvoiceInForeignCurrency" auth="true"> Modified: ofbiz/trunk/applications/content/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/content/servicedef/services.xml (original) +++ ofbiz/trunk/applications/content/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -291,12 +291,12 @@ <service name="createSimpleTextContent" engine="simple" location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="createSimpleTextContent"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="contentId" mode="INOUT"/> </service> <service name="updateSimpleTextContent" engine="simple" location="component://content/script/org/ofbiz/content/content/ContentServices.xml" invoke="updateSimpleTextContent"> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> </service> <!-- Util --> @@ -452,7 +452,7 @@ <attribute mode="IN" name="forceElectronicText" optional="true" type="String"/> <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> - <override name="textData" allow-html="safe"/> + <override name="textData" allow-html="any"/> </service> <service name="persistDataResourceAndData" engine="java" @@ -1052,8 +1052,8 @@ <attribute name="statusId" type="String" mode="IN" optional="true"/> <attribute name="description" type="String" mode="IN" optional="true"/> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="updateBlogEntry" engine="simple" auth="true" location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="updateBlogEntry"> @@ -1065,8 +1065,8 @@ <attribute name="statusId" type="String" mode="IN" optional="true"/> <attribute name="description" type="String" mode="IN" optional="true"/> <attribute name="templateDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="safe"/> - <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="articleData" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="summaryData" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="getBlogEntry" engine="simple" auth="true" location="component://content/script/org/ofbiz/content/blog/BlogServices.xml" invoke="getBlogEntry"> Modified: ofbiz/trunk/applications/content/servicedef/services_content.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_content.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/content/servicedef/services_content.xml (original) +++ ofbiz/trunk/applications/content/servicedef/services_content.xml Mon Oct 28 12:12:43 2013 @@ -48,8 +48,8 @@ <attribute name="fromDate" type="Timestamp" mode="IN" optional="true"/> <attribute name="sequenceNum" type="Long" mode="IN" optional="true"/> <override name="contentTypeId" default-value="DOCUMENT"/> - <override name="contentName" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="contentName" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="createTextAndUploadedContent" engine="simple" auth="true" @@ -131,8 +131,8 @@ <attribute mode="IN" name="displayFailCond" optional="true" type="Boolean"/> <attribute mode="INOUT" name="roleTypeList" optional="true" type="List"/> <!-- end of depricated fields --> - <override name="contentName" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="contentName" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="updateTextContent" engine="group" auth="true"> Modified: ofbiz/trunk/applications/content/servicedef/services_data.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/servicedef/services_data.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/content/servicedef/services_data.xml (original) +++ ofbiz/trunk/applications/content/servicedef/services_data.xml Mon Oct 28 12:12:43 2013 @@ -37,8 +37,8 @@ <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> <attribute name="uploadedFile" type="java.nio.ByteBuffer" mode="IN" optional="true"/> - <override name="objectInfo" allow-html="safe"/> - <override name="dataResourceName" allow-html="safe"/> + <override name="objectInfo" allow-html="any"/> + <override name="dataResourceName" allow-html="any"/> </service> <service name="createDataResourceAndAssocToContent" default-entity-name="DataResource" engine="simple" location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="createDataResourceAndAssocToContent" auth="true"> @@ -59,8 +59,8 @@ <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> <attribute name="dataResourceId" type="String" mode="OUT" optional="false"/> <attribute name="dataResource" type="org.ofbiz.entity.GenericValue" mode="OUT" optional="true"/> - <override name="objectInfo" allow-html="safe"/> - <override name="dataResourceName" allow-html="safe"/> + <override name="objectInfo" allow-html="any"/> + <override name="dataResourceName" allow-html="any"/> </service> <service name="removeDataResource" engine="simple" default-entity-name="DataResource" auth="true" location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="deleteDataResource"> @@ -90,7 +90,7 @@ <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> <auto-attributes include="pk" mode="INOUT" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <attribute name="textData" mode="IN" optional="true" type="String" allow-html="safe"/> + <attribute name="textData" mode="IN" optional="true" type="String" allow-html="any"/> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> @@ -100,7 +100,7 @@ <description>Create a DataResource and, possibly, ElectronicText or ImageDataResource</description> <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <attribute name="textData" mode="IN" type="String" optional="true" allow-html="safe"/> + <attribute name="textData" mode="IN" type="String" optional="true" allow-html="any"/> <attribute name="targetOperationList" type="List" mode="IN" optional="true"/> <attribute name="contentPurposeList" type="List" mode="IN" optional="true"/> <attribute name="skipPermissionCheck" type="String" mode="IN" optional="true"/> @@ -115,7 +115,7 @@ <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="dataResourceTypeId" default-value="ELECTRONIC_TEXT"/> - <override name="textData" allow-html="safe"/> + <override name="textData" allow-html="any"/> </service> <service name="updateElectronicText" default-entity-name="ElectronicText" engine="simple" location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="updateElectronicText" auth="true"> @@ -124,7 +124,7 @@ <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <attribute name="contentId" mode="INOUT" optional="true" type="String"/><!-- to optionaly know where this text is belonging to --> - <override name="textData" allow-html="safe"/> + <override name="textData" allow-html="any"/> </service> <service name="removeElectronicText" default-entity-name="ElectronicText" engine="simple" location="component://content/script/org/ofbiz/content/data/DataServices.xml" invoke="removeElectronicText" auth="true"> Modified: ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml (original) +++ ofbiz/trunk/applications/marketing/servicedef/services_opportunity.xml Mon Oct 28 12:12:43 2013 @@ -78,9 +78,9 @@ under the License. </auto-attributes> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> - <override name="opportunityName" allow-html="safe"/> - <override name="description" allow-html="safe"/> - <override name="nextStep" allow-html="safe"/> + <override name="opportunityName" allow-html="any"/> + <override name="description" allow-html="any"/> + <override name="nextStep" allow-html="any"/> </service> <service name="updateSalesOpportunity" engine="simple" default-entity-name="SalesOpportunity" location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="updateSalesOpportunity"> @@ -89,9 +89,9 @@ under the License. <auto-attributes mode="IN" include="nonpk" optional="true"/> <attribute name="accountPartyId" mode="IN" type="String" optional="true"/> <attribute name="leadPartyId" mode="IN" type="String" optional="true"/> - <override name="opportunityName" allow-html="safe"/> - <override name="description" allow-html="safe"/> - <override name="nextStep" allow-html="safe"/> + <override name="opportunityName" allow-html="any"/> + <override name="description" allow-html="any"/> + <override name="nextStep" allow-html="any"/> </service> <service name="createSalesOpportunityRole" engine="simple" default-entity-name="SalesOpportunityRole" location="component://order/script/org/ofbiz/order/opportunity/OpportunityServices.xml" invoke="createSalesOpportunityRole"> Modified: ofbiz/trunk/applications/order/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/order/servicedef/services.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -450,7 +450,7 @@ under the License. location="org.ofbiz.order.order.OrderServices" invoke="createOrderNote" auth="true"> <description>Create a note item and associate with a order header</description> <attribute name="orderId" type="String" mode="IN"/> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> + <attribute name="note" type="String" mode="IN" allow-html="any"/> <attribute name="internalNote" type="String" mode="IN"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> </service> Modified: ofbiz/trunk/applications/order/servicedef/services_quote.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_quote.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/order/servicedef/services_quote.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services_quote.xml Mon Oct 28 12:12:43 2013 @@ -255,7 +255,7 @@ under the License. location="component://order/script/org/ofbiz/order/quote/QuoteServices.xml" invoke="createQuoteNote" auth="true"> <description>Create a note item and associate with a quote</description> <attribute name="quoteId" type="String" mode="IN"/> - <attribute name="noteInfo" type="String" mode="IN" allow-html="safe"/> + <attribute name="noteInfo" type="String" mode="IN" allow-html="any"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> </service> </services> Modified: ofbiz/trunk/applications/order/servicedef/services_request.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services_request.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/order/servicedef/services_request.xml (original) +++ ofbiz/trunk/applications/order/servicedef/services_request.xml Mon Oct 28 12:12:43 2013 @@ -42,9 +42,9 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes include="all" mode="IN" entity-name="CustRequestItem" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> - <override name="custRequestName" allow-html="safe"/> - <override name="description" allow-html="safe"/> - <override name="story" allow-html="safe"/> + <override name="custRequestName" allow-html="any"/> + <override name="description" allow-html="any"/> + <override name="story" allow-html="any"/> </service> <service name="updateCustRequest" engine="simple" default-entity-name="CustRequest" location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequest" auth="true"> @@ -52,10 +52,10 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <attribute name="oldStatusId" type="String" mode="OUT"/> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> - <override name="custRequestName" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="custRequestName" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="deleteCustRequest" engine="simple" default-entity-name="CustRequest" @@ -86,16 +86,16 @@ under the License. <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="custRequestItemSeqId" optional="true"/> - <override name="story" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="story" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="updateCustRequestItem" engine="simple" default-entity-name="CustRequestItem" location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestItem" auth="true"> <description>Update a CustRequestItem record</description> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="story" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="story" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="copyCustRequestItem" default-entity-name="CustRequestItem" engine="simple" location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="copyCustRequestItem" auth="true"> @@ -129,7 +129,7 @@ under the License. location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="createCustRequestNote" auth="true"> <description>Create a note for a CustRequest</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> - <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="noteInfo" type="String" mode="IN" optional="false" allow-html="any"/> <attribute name="noteId" type="String" mode="OUT" optional="false"/> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> @@ -138,7 +138,7 @@ under the License. location="component://order/script/org/ofbiz/order/request/CustRequestServices.xml" invoke="updateCustRequestNote" auth="true"> <description>Update CustRequest Note</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> - <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="noteId" type="String" mode="IN" optional="false" allow-html="any"/> <attribute name="noteInfo" type="String" mode="IN" optional="true"/> </service> <service name="createCustRequestItemNote" engine="simple" @@ -146,7 +146,7 @@ under the License. <description>Create a note for a CustRequestItem</description> <attribute name="custRequestId" type="String" mode="IN" optional="false"/> <attribute name="custRequestItemSeqId" type="String" mode="IN" optional="false"/> - <attribute name="note" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="note" type="String" mode="IN" optional="false" allow-html="any"/> <attribute name="noteId" type="String" mode="OUT" optional="false"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/><!-- party who created the note --> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- party to be notified --> @@ -178,7 +178,7 @@ under the License. <description>Set the Customer Request Status</description> <attribute name="custRequestId" type="String" mode="INOUT" optional="false"/> <attribute name="statusId" type="String" mode="IN" optional="false"/> - <attribute name="reason" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="reason" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> <attribute name="fromPartyId" type="String" mode="OUT" optional="true"/><!-- for notification services --> <attribute name="custRequestName" type="String" mode="OUT" optional="true"/><!-- for notification services --> @@ -192,9 +192,9 @@ under the License. <attribute name="custRequestId" mode="IN" type="String" optional="true"/> <attribute name="custRequestId" mode="OUT" type="String" optional="false"/> <attribute name="custRequestTypeId" mode="IN" type="String" optional="true"/> - <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="safe"/> - <attribute name="story" mode="IN" type="String" optional="true" allow-html="safe"/> - <override name="content" allow-html="safe"/> + <attribute name="custRequestName" mode="IN" type="String" optional="true" allow-html="any"/> + <attribute name="story" mode="IN" type="String" optional="true" allow-html="any"/> + <override name="content" allow-html="any"/> </service> <!-- custRequest content services --> Modified: ofbiz/trunk/applications/party/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/party/servicedef/services.xml (original) +++ ofbiz/trunk/applications/party/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -120,7 +120,7 @@ under the License. <attribute name="externalId" type="String" mode="IN" optional="true"/> <attribute name="statusId" type="String" mode="IN" optional="true"/> <override name="groupName" optional="false"/> - <override name="comments" allow-html="safe"/> + <override name="comments" allow-html="any"/> </service> <service name="updatePartyGroup" engine="java" default-entity-name="PartyGroup" location="org.ofbiz.party.party.PartyServices" invoke="updatePartyGroup" auth="true"> @@ -133,7 +133,7 @@ under the License. <attribute name="preferredCurrencyUomId" type="String" mode="IN" optional="true"/> <attribute name="externalId" type="String" mode="IN" optional="true"/> <attribute name="statusId" type="String" mode="IN" optional="true"/> - <override name="comments" allow-html="safe"/> + <override name="comments" allow-html="any"/> </service> <service name="savePartyNameChange" engine="simple" @@ -379,7 +379,7 @@ under the License. <description>create a company/contact relationship and add the related roles</description> <attribute name="accountPartyId" type="String" mode="IN"/> <attribute name="contactPartyId" type="String" mode="IN"/> - <attribute name="comments" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="comments" type="String" mode="IN" optional="true" allow-html="any"/> </service> <!-- ContactMech services --> @@ -768,9 +768,9 @@ under the License. <attribute name="custRequestId" type="String" mode="IN" optional="true"/> <attribute name="action" type="String" mode="IN" optional="true"/><!-- to indicate any special action like: REPLY, REPLYALL, FORWARD or empty for no special action--> <override name="headerString" allow-html="any"/> - <override name="content" allow-html="safe"/> - <override name="messageId" allow-html="safe"/> - <override name="subject" allow-html="safe"/> + <override name="content" allow-html="any"/> + <override name="messageId" allow-html="any"/> + <override name="subject" allow-html="any"/> </service> <service name="createCommunicationEvent" engine="simple" location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" invoke="createCommunicationEventWithPermission" auth="true"> @@ -792,9 +792,9 @@ under the License. <auto-attributes entity-name="CommunicationEvent" include="nonpk" mode="IN" optional="true"/> <attribute name="contactMechPurposeTypeIdFrom" type="String" mode="IN" optional="true"><description>Set a specific purpose for the originator email</description></attribute> <attribute name="oldStatusId" type="String" mode="OUT" optional="true"/> - <override name="messageId" allow-html="safe"/> - <override name="content" allow-html="safe"/> - <override name="subject" allow-html="safe"/> + <override name="messageId" allow-html="any"/> + <override name="content" allow-html="any"/> + <override name="subject" allow-html="any"/> </service> <service name="deleteCommunicationEvent" engine="simple" location="component://party/script/org/ofbiz/party/communication/CommunicationEventServices.xml" invoke="deleteCommunicationEvent" auth="true"> Modified: ofbiz/trunk/applications/product/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/product/servicedef/services.xml (original) +++ ofbiz/trunk/applications/product/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -34,8 +34,8 @@ under the License. <exclude field-name="lastModifiedDate"/> <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> - <override name="description" allow-html="safe"/> - <override name="longDescription" allow-html="safe"/> + <override name="description" allow-html="any"/> + <override name="longDescription" allow-html="any"/> </service> <service name="createProduct" default-entity-name="Product" engine="simple" location="component://product/script/org/ofbiz/product/product/ProductServices.xml" invoke="createProduct" auth="true"> @@ -70,8 +70,8 @@ under the License. <attribute name="oldProductId" type="String" mode="IN" optional="false"/> <attribute name="newInternalName" type="String" mode="IN" optional="true"/> <attribute name="newProductName" type="String" mode="IN" optional="true"/> - <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="safe"/> - <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="newDescription" type="String" mode="IN" optional="true" allow-html="any"/> + <attribute name="newLongDescription" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="duplicatePrices" type="String" mode="IN" optional="true"/> <attribute name="duplicateIDs" type="String" mode="IN" optional="true"/> <attribute name="duplicateContent" type="String" mode="IN" optional="true"/> @@ -392,7 +392,7 @@ under the License. <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="subject" type="String" mode="IN" optional="false"/> <attribute name="plainBody" type="String" mode="IN" optional="false"/> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> <override name="contentId" optional="true" mode="INOUT"/> </service> <service name="updateEmailContentForProduct" default-entity-name="ProductContent" engine="simple" @@ -405,7 +405,7 @@ under the License. <attribute name="plainBodyDataResourceId" type="String" mode="IN" optional="true"/> <attribute name="plainBody" type="String" mode="IN" optional="true"/> <attribute name="htmlBodyDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="htmlBody" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="createDownloadContentForProduct" default-entity-name="ProductContent" engine="simple" location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" invoke="createDownloadContentForProduct" auth="true"> @@ -431,7 +431,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -441,13 +441,13 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="createSimpleTextContentForAlternateLocale" engine="simple" location="component://product/script/org/ofbiz/product/product/ProductContentServices.xml" invoke="createSimpleTextContentForAlternateLocale"> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="mainContentId" type="String" mode="IN" optional="false"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="localeString" optional="false"/> <override name="contentId" mode="INOUT"/> </service> @@ -967,7 +967,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="contentId" optional="true"/> <override name="fromDate" optional="true"/> </service> @@ -977,7 +977,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes entity-name="Content" include="nonpk" mode="IN" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="updateContentSEOForCategory" engine="simple" @@ -1201,7 +1201,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="true"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="false" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="false" allow-html="any"/> <override name="contentId" optional="true"/> </service> <service name="updateSimpleTextContentForProductConfigItem" default-entity-name="ProdConfItemContent" engine="simple" @@ -1210,7 +1210,7 @@ under the License. <auto-attributes include="nonpk" mode="IN" optional="true"/> <auto-attributes mode="IN" entity-name="Content" optional="true"/> <attribute name="textDataResourceId" type="String" mode="IN" optional="true"/> - <attribute name="text" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="text" type="String" mode="IN" optional="true" allow-html="any"/> </service> <service name="getProductFeaturesByType" engine="java" location="org.ofbiz.product.feature.ProductFeatureServices" invoke="getProductFeaturesByType"> Modified: ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml (original) +++ ofbiz/trunk/applications/product/servicedef/services_pricepromo.xml Mon Oct 28 12:12:43 2013 @@ -138,7 +138,7 @@ under the License. <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> <override name="promoName" optional="false"/> - <override name="promoText" allow-html="safe"/> + <override name="promoText" allow-html="any"/> </service> <service name="updateProductPromo" default-entity-name="ProductPromo" engine="simple" location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="updateProductPromo" auth="true"> @@ -150,7 +150,7 @@ under the License. <exclude field-name="lastModifiedDate"/> <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> - <override name="promoText" allow-html="safe"/> + <override name="promoText" allow-html="any"/> </service> <service name="deleteProductPromo" default-entity-name="ProductPromo" engine="simple" location="component://product/script/org/ofbiz/product/promo/PromoServices.xml" invoke="deleteProductPromo" auth="true"> Modified: ofbiz/trunk/applications/workeffort/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/applications/workeffort/servicedef/services.xml (original) +++ ofbiz/trunk/applications/workeffort/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -35,8 +35,8 @@ under the License. <exclude field-name="lastModifiedDate"/> <exclude field-name="lastModifiedByUserLogin"/> </auto-attributes> - <override name="workEffortName" allow-html="safe"/> - <override name="description" allow-html="safe"/> + <override name="workEffortName" allow-html="any"/> + <override name="description" allow-html="any"/> </service> <service name="createWorkEffort" default-entity-name="WorkEffort" engine="simple" location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffort"> @@ -50,9 +50,9 @@ under the License. <attribute name="communicationEventId" type="String" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/><!-- for notification services --> <override name="workEffortTypeId" optional="false"/> - <override name="workEffortName" optional="false" allow-html="safe"/> + <override name="workEffortName" optional="false" allow-html="any"/> <override name="currentStatusId" optional="false"/> - <override name="description" allow-html="safe"/> + <override name="description" allow-html="any"/> </service> <service name="createWorkEffortAndPartyAssign" default-entity-name="WorkEffort" engine="simple" location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="createWorkEffortAndPartyAssign"> @@ -429,7 +429,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false" entity-name="CustRequestWorkEffort"/> <auto-attributes include="all" mode="IN" optional="true" entity-name="CustRequest"/> <override name="custRequestId" optional="true" mode="INOUT"/> - <override name="description" allow-html="safe"/> + <override name="description" allow-html="any"/> </service> <service name="deleteWorkEffortRequest" engine="simple" location="component://workeffort/script/org/ofbiz/workeffort/workeffort/WorkEffortSimpleServices.xml" invoke="deleteWorkEffortRequest" auth="true"> <description>Deletes a CustRequestWorkEffort</description> Modified: ofbiz/trunk/framework/common/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/framework/common/servicedef/services.xml (original) +++ ofbiz/trunk/framework/common/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -63,7 +63,7 @@ under the License. <description>Create a new note record</description> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> <attribute name="noteName" type="String" mode="IN" optional="true"/> - <attribute name="note" type="String" mode="IN" allow-html="safe"/> + <attribute name="note" type="String" mode="IN" allow-html="any"/> <attribute name="noteId" type="String" mode="OUT"/> </service> @@ -72,7 +72,7 @@ under the License. <description>Update a note record</description> <auto-attributes include="pk" mode="INOUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="noteInfo" allow-html="safe"/> + <override name="noteInfo" allow-html="any"/> </service> <service name="adjustDebugLevels" engine="java" @@ -109,7 +109,7 @@ under the License. <auto-attributes include="pk" mode="OUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="enumTypeId" optional="false"/> - <override name="description" optional="false" allow-html="safe"/> + <override name="description" optional="false" allow-html="any"/> </service> <service name="updateEnumeration" default-entity-name="Enumeration" engine="simple" location="component://common/script/org/ofbiz/common/EnumerationServices.xml" invoke="updateEnumeration" auth="true"> @@ -118,7 +118,7 @@ under the License. <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> <override name="enumTypeId" optional="false"/> - <override name="description" optional="false" allow-html="safe"/> + <override name="description" optional="false" allow-html="any"/> </service> <service name="deleteEnumeration" default-entity-name="Enumeration" engine="entity-auto" invoke="delete" auth="true"> <description>Delete a Enumeration</description> Modified: ofbiz/trunk/framework/common/servicedef/services_email.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/servicedef/services_email.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/framework/common/servicedef/services_email.xml (original) +++ ofbiz/trunk/framework/common/servicedef/services_email.xml Mon Oct 28 12:12:43 2013 @@ -42,7 +42,7 @@ under the License. <attribute name="sendFailureNotification" mode="IN" type="Boolean" optional="true"/> <attribute name="sendPartial" mode="IN" type="Boolean" optional="true"/> <attribute name="startTLSEnabled" mode="IN" type="Boolean" optional="true"/> - <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="safe"/> + <attribute name="subject" type="String" mode="INOUT" optional="true" allow-html="any"/> <attribute name="contentType" type="String" mode="INOUT" optional="true"/> <attribute name="partyId" type="String" mode="INOUT" optional="true"/> <attribute name="messageId" type="String" mode="INOUT" optional="true"/> @@ -56,7 +56,7 @@ under the License. <service name="sendMailOnePartInterface" engine="interface" location="" invoke=""> <description>Interface service for sendMail* services.</description> <implements service="sendMailInterface"/> - <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="safe"/> + <attribute name="body" type="String" mode="INOUT" optional="false" allow-html="any"/> <override name="contentType" mode="INOUT"/> <override name="subject" mode="INOUT" optional="false"/> <override name="emailType" type="String" mode="INOUT" optional="true"/> @@ -98,12 +98,12 @@ under the License. <implements service="sendMailInterface"/> <attribute name="bodyUrl" type="String" mode="IN" optional="false"/> <attribute name="bodyUrlParameters" type="Map" mode="IN" optional="true"/> - <attribute name="body" type="String" mode="OUT" optional="false" allow-html="safe"/> + <attribute name="body" type="String" mode="OUT" optional="false" allow-html="any"/> </service> <service name="sendMailFromScreenInterface" engine="interface" location="" invoke=""> <description>Interface service for E-Mail sent From Screen Widget</description> <implements service="sendMailInterface"/> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="bodyScreenUri" type="String" mode="IN" optional="true"/> <attribute name="xslfoAttachScreenLocation" type="String" mode="IN" optional="true"/> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> @@ -132,7 +132,7 @@ under the License. <implements service="sendMailInterface"/> <attribute name="emailTemplateSettingId" type="String" mode="IN" optional="false"/> <attribute name="partyIdTo" type="String" mode="IN" optional="true"/> - <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="bodyText" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="attachmentName" type="String" mode="IN" optional="true"/> <attribute name="bodyParameters" type="Map" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> @@ -143,8 +143,8 @@ under the License. location="" invoke=""> <description>Send Template Based Notification Service</description> <implements service="sendMailInterface"/> - <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="safe"/> - <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="body" type="String" mode="INOUT" optional="true" allow-html="any"/> + <attribute name="baseUrl" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="templateName" type="String" mode="IN" optional="false"/> <attribute name="templateData" type="Map" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> @@ -153,7 +153,7 @@ under the License. location="" invoke=""> <description>Send Template Based Notification Service</description> <implements service="prepareNotificationInterface"/> - <attribute name="body" type="String" mode="IN" optional="true" allow-html="safe"/> + <attribute name="body" type="String" mode="IN" optional="true" allow-html="any"/> <attribute name="templateName" type="String" mode="IN" optional="false"/> <attribute name="templateData" type="Map" mode="IN" optional="true"/> <attribute name="webSiteId" type="String" mode="IN" optional="true"/> Modified: ofbiz/trunk/framework/service/dtd/services.xsd URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/framework/service/dtd/services.xsd (original) +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Oct 28 12:12:43 2013 @@ -106,6 +106,7 @@ under the License. If set to true and there is a transaction already in place the Service Engine will suspend that transaction, begin a new one just for this service, commit or rollback the local transaction when the service is complete, and will resume the original transaction. If set to true and there is no transaction already in place it will just begin a transaction and manage it as would be done for a normal user-transaction=true. If use-transaction=false this setting is ignored. + Beware: using require-new-transaction=true in a service called (maybe not directly) by a pre-invoke or earlier event ( preprocessor, firstvisit and so on) is not yet supported. </xs:documentation> </xs:annotation> <xs:simpleType> @@ -348,11 +349,18 @@ under the License. </xs:simpleType> </xs:attribute> <xs:attribute name="allow-html" use="optional" default="none"> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element.</xs:documentation></xs:annotation> + <xs:annotation> + <xs:documentation> + Applies only to String fields. + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). + Defaults to "none" meaning no HTML is allowed (will result in an error message). + If some HTML is desired then use "any". + There was previously "safe" but it's deprecated + </xs:documentation> + </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> - <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> @@ -424,13 +432,12 @@ under the License. Applies only to String fields. Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). Defaults to "none" meaning no HTML is allowed (will result in an error message). - If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should be safe for both internal and public users. - In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check the HTML content at all. + If some HTML is desired then use "any". + There was previously "safe" but it's deprecated </xs:documentation></xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> - <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> @@ -477,11 +484,18 @@ under the License. </xs:simpleType> </xs:attribute> <xs:attribute name="allow-html" use="optional"> - <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> + <xs:annotation> + <xs:documentation> + Applies only to String fields. + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). + There is no default, "none" means no HTML is allowed (will result in an error message). + If some HTML is desired then use "any". + There was previously "safe" but it's deprecated + </xs:documentation> + </xs:annotation> <xs:simpleType> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> - <xs:enumeration value="safe"/> <xs:enumeration value="none"/> </xs:restriction> </xs:simpleType> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Oct 28 12:12:43 2013 @@ -575,18 +575,12 @@ public class ModelService extends Abstra // required and type validation complete, do allow-html validation if ("IN".equals(mode)) { List<String> errorMessageList = FastList.newInstance(); - for (ModelParam modelParam: this.contextInfo.values()) { - if (context.get(modelParam.name) != null && - ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && - !"any".equals(modelParam.allowHtml) && - ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { - // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input parameter validation + for (ModelParam modelParam : this.contextInfo.values()) { + // the param is a String, allow-html is not any, and we are looking at an IN parameter during input parameter validation + if (context.get(modelParam.name) != null && ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) + && !"any".equals(modelParam.allowHtml) && ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { String value = (String) context.get(modelParam.name); - if ("none".equals(modelParam.allowHtml)) { - StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); - } else if ("safe".equals(modelParam.allowHtml)) { - StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); - } + StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); } } if (errorMessageList.size() > 0) { Modified: ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml?rev=1536324&r1=1536323&r2=1536324&view=diff ============================================================================== --- ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml (original) +++ ofbiz/trunk/specialpurpose/ebaystore/servicedef/services.xml Mon Oct 28 12:12:43 2013 @@ -491,7 +491,7 @@ under the License. <attribute name="itemId" mode="IN" type="String" optional="false"/> <attribute name="listingType" mode="IN" type="String" optional="true"/> <attribute name="title" mode="IN" type="String" optional="true"/> - <attribute name="description" mode="IN" type="String" allow-html="safe"/> + <attribute name="description" mode="IN" type="String" allow-html="any"/> <attribute name="price" mode="IN" type="String" optional="true"/> <attribute name="currencyId" mode="IN" type="String" optional="true"/> <attribute mode="IN" name="imageData" optional="true" type="java.nio.ByteBuffer"/> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |