svn commit: r1777448 - in /ofbiz/trunk/applications: content/src/main/java/org/apac
Locked
svn commit: r1777448 - in /ofbiz/trunk/applications: content/src/main/java/org/apac
 
|
Author: jleroux
Date: Thu Jan 5 11:20:50 2017 New Revision: 1777448 URL: http://svn.apache.org/viewvc?rev=1777448&view=rev Log: Reverts previous commit which contained unexpected changes which were not yet ready to be committed. Only remains a not functional change, only formatting and imports cleaning of FormRenderer.java Sorry for the trouble Modified: ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java ofbiz/trunk/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java ofbiz/trunk/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java ofbiz/trunk/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java Modified: ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java (original) +++ ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java Thu Jan 5 11:20:50 2017 @@ -335,22 +335,18 @@ public class ContentWorker implements or String mimeTypeId, boolean cache) throws GeneralException, IOException { Writer writer = new StringWriter(); renderContentAsText(dispatcher, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache); - GenericValue content = EntityQuery.use(dispatcher.getDelegator()).from("Content").where("contentId", contentId).queryOne(); - String contentTypeId = content.getString("contentTypeId"); String rendered = writer.toString(); // According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary // Normally head is protected by X-XSS-Protection Response Header by default - if (!"REPORT".equals(contentTypeId)) { // FIXME here BIRT_REPORT_BUILDER_USAGE_POLICY should be used but I could not tweak it yet: the content of <script> are removed and should not. Also a more annoying no yet spotted issue with contentId dissapearing - if (rendered.contains("<script>") - || rendered.contains("<!--") - || rendered.contains("<div") - || rendered.contains("<style>") - || rendered.contains("<span") - || rendered.contains("<input") - || rendered.contains("<iframe") - || rendered.contains("<a")) { - rendered = encoder.sanitize(rendered, contentTypeId); - } + if (rendered.contains("<script>") + || rendered.contains("<!--") + || rendered.contains("<div") + || rendered.contains("<style>") + || rendered.contains("<span") + || rendered.contains("<input") + || rendered.contains("<iframe") + || rendered.contains("<a")) { + rendered = encoder.sanitize(rendered); } return rendered; } Modified: ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java (original) +++ ofbiz/trunk/applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java Thu Jan 5 11:20:50 2017 @@ -747,37 +747,12 @@ public class DataResourceWorker impleme } else { throw new GeneralException("The dataResource file [" + dataResourceId + "] could not be found"); } - } catch (SAXException | ParserConfigurationException e) { + } catch (SAXException e) { throw new GeneralException("Error rendering Screen template", e); - } catch (TemplateException e) { - throw new GeneralException("Error creating Screen renderer", e); - } - } else if ("FORM_COMBINED".equals(dataTemplateTypeId)){ - try { - Map<String, Object> context = UtilGenerics.checkMap(templateContext.get("globalContext")); - context.put("locale", locale); - context.put("simpleEncoder", UtilCodec.getEncoder(UtilProperties.getPropertyValue("widget", "screen.encoder"))); - HttpServletRequest request = (HttpServletRequest) context.get("request"); - HttpServletResponse response = (HttpServletResponse) context.get("response"); - ModelForm modelForm = null; - ModelReader entityModelReader = delegator.getModelReader(); - String formText = getDataResourceText(dataResource, targetMimeTypeId, locale, templateContext, delegator, cache); - Document formXml = UtilXml.readXmlDocument(formText, true, true); - Map<String, ModelForm> modelFormMap = FormFactory.readFormDocument(formXml, entityModelReader, dispatcher.getDispatchContext(), null); - - if (UtilValidate.isNotEmpty(modelFormMap)) { - Map.Entry<String, ModelForm> entry = modelFormMap.entrySet().iterator().next(); // get first entry, only one form allowed per file - modelForm = entry.getValue(); - } - MacroFormRenderer renderer = new MacroFormRenderer(formrenderer, request, response); - FormRenderer formRenderer = new FormRenderer(modelForm, renderer); - formRenderer.render(out, context); - } catch (SAXException | ParserConfigurationException e) { + } catch (ParserConfigurationException e) { throw new GeneralException("Error rendering Screen template", e); } catch (TemplateException e) { throw new GeneralException("Error creating Screen renderer", e); - } catch (Exception e) { - throw new GeneralException("Error rendering Screen template", e); } } else { throw new GeneralException("The dataTemplateTypeId [" + dataTemplateTypeId + "] is not yet supported"); Modified: ofbiz/trunk/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java (original) +++ ofbiz/trunk/applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -111,7 +111,7 @@ public class OrderContentWrapper impleme if (UtilValidate.isEmpty(outString)) { outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (orderContentCache != null) { orderContentCache.put(cacheKey, outString); } Modified: ofbiz/trunk/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java (original) +++ ofbiz/trunk/applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -168,7 +168,7 @@ public class PartyContentWrapper impleme outString = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (partyContentCache != null) { partyContentCache.put(cacheKey, outString); } @@ -176,11 +176,11 @@ public class PartyContentWrapper impleme } catch (GeneralException e) { Debug.logError(e, "Error rendering PartyContent, inserting empty String", module); String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } catch (IOException e) { Debug.logError(e, "Error rendering PartyContent, inserting empty String", module); String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } } Modified: ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java (original) +++ ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -110,7 +110,7 @@ public class CategoryContentWrapper impl outString = productCategory.getModelEntity().isField(candidateFieldName) ? productCategory.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (categoryContentCache != null) { categoryContentCache.put(cacheKey, outString); } Modified: ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java (original) +++ ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -133,7 +133,7 @@ public class ProductConfigItemContentWra outString = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (configItemContentCache != null) { configItemContentCache.put(cacheKey, outString); } @@ -141,11 +141,11 @@ public class ProductConfigItemContentWra } catch (GeneralException e) { Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module); String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } catch (IOException e) { Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module); String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } } Modified: ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java (original) +++ ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -123,7 +123,7 @@ public class ProductContentWrapper imple outString = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (productContentCache != null) { productContentCache.put(cacheKey, outString); } @@ -131,11 +131,11 @@ public class ProductContentWrapper imple } catch (GeneralException e) { Debug.logError(e, "Error rendering ProductContent, inserting empty String", module); String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } catch (IOException e) { Debug.logError(e, "Error rendering ProductContent, inserting empty String", module); String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } } Modified: ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java (original) +++ ofbiz/trunk/applications/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -128,7 +128,7 @@ public class ProductPromoContentWrapper outString = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (productPromoContentCache != null) { productPromoContentCache.put(cacheKey, outString); } @@ -136,11 +136,11 @@ public class ProductPromoContentWrapper } catch (GeneralException e) { Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module); String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } catch (IOException e) { Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module); String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } } Modified: ofbiz/trunk/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java?rev=1777448&r1=1777447&r2=1777448&view=diff ============================================================================== --- ofbiz/trunk/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java (original) +++ ofbiz/trunk/applications/workeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java Thu Jan 5 11:20:50 2017 @@ -256,7 +256,7 @@ public class WorkEffortContentWrapper im outString = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): ""; outString = outString == null? "" : outString; } - outString = encoder.sanitize(outString, null); + outString = encoder.sanitize(outString); if (workEffortContentCache != null) { workEffortContentCache.put(cacheKey, outString); } @@ -264,11 +264,11 @@ public class WorkEffortContentWrapper im } catch (GeneralException e) { Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module); String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } catch (IOException e) { Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module); String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): ""; - return candidateOut == null? "" : encoder.sanitize(candidateOut, null); + return candidateOut == null? "" : encoder.sanitize(candidateOut); } } |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |