OFBiz › OFBiz - Commits

svn commit: r741857 - in /ofbiz/trunk/framework: base/src/org/ofbiz/base/util/ widget/dtd/ widget/src/org/ofbiz/widget/form/ widget/src/org/ofbiz/widget/html/ widget/src/org/ofbiz/widget/screen/

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jonesde

svn commit: r741857 - in /ofbiz/trunk/framework: base/src/org/ofbiz/base/util/ widget/dtd/ widget/src/org/ofbiz/widget/form/ widget/src/org/ofbiz/widget/html/ widget/src/org/ofbiz/widget/screen/

Author: jonesde
Date: Sat Feb 7 08:56:19 2009
New Revision: 741857

URL: http://svn.apache.org/viewvc?rev=741857&view=rev
Log:
Added general usage of ESAPI HTML and XML encoding for the form widget; removed the old partially implemented use of the StringEscapeUtils stuff; includes attribute on the form field element called encode-output that is true by default so if HTML encoding is not desired then must be set to false

Modified:
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
ofbiz/trunk/framework/widget/dtd/widget-form.xsd
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/html/HtmlFormRenderer.java
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenFopViewHandler.java
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenWidgetViewHandler.java
ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenXmlViewHandler.java

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Sat Feb 7 08:56:19 2009
@@ -25,6 +25,7 @@
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
+import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
@@ -35,6 +36,13 @@

import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.codecs.CSSCodec;
+import org.owasp.esapi.codecs.Codec;
+import org.owasp.esapi.codecs.HTMLEntityCodec;
+import org.owasp.esapi.codecs.JavaScriptCodec;
+import org.owasp.esapi.codecs.PercentCodec;
+import org.owasp.esapi.reference.DefaultEncoder;

/**
* Misc String Utility Functions
@@ -44,6 +52,36 @@

public static final String module = StringUtil.class.getName();

+ /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
+ public static final boolean esapiCanonicalizeStrict = false;
+ public static final Encoder defaultWebEncoder;
+ //public static final Validator defaultWebValidator;
+ static {
+ // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
+ List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
+ defaultWebEncoder = new DefaultEncoder(codecList);
+ //defaultWebValidator = new DefaultValidator();
+ }
+
+ public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
+ public static final SimpleEncoder xmlEncoder = new XmlEncoder();
+
+ public static interface SimpleEncoder {
+ public String encode(String original);
+ }
+
+ public static class HtmlEncoder implements SimpleEncoder {
+ public String encode(String original) {
+ return StringUtil.defaultWebEncoder.encodeForHTML(original);
+ }
+ }
+
+ public static class XmlEncoder implements SimpleEncoder {
+ public String encode(String original) {
+ return StringUtil.defaultWebEncoder.encodeForXML(original);
+ }
+ }
+
public static String internString(String value) {
return value != null ? value.intern() : null;
}

Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Sat Feb 7 08:56:19 2009
@@ -52,14 +52,7 @@
import javolution.util.FastList;
import javolution.util.FastMap;

-import org.owasp.esapi.Encoder;
-import org.owasp.esapi.codecs.CSSCodec;
-import org.owasp.esapi.codecs.Codec;
-import org.owasp.esapi.codecs.HTMLEntityCodec;
-import org.owasp.esapi.codecs.JavaScriptCodec;
-import org.owasp.esapi.codecs.PercentCodec;
import org.owasp.esapi.errors.EncodingException;
-import org.owasp.esapi.reference.DefaultEncoder;

/**
* HttpUtil - Misc HTTP Utility Functions
@@ -68,17 +61,6 @@

public static final String module = UtilHttp.class.getName();

- /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
- public static final boolean esapiCanonicalizeStrict = false;
- public static final Encoder defaultWebEncoder;
- //public static final Validator defaultWebValidator;
- static {
- // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
- List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
- defaultWebEncoder = new DefaultEncoder(codecList);
- //defaultWebValidator = new DefaultValidator();
- }
-
public static final String MULTI_ROW_DELIMITER = "_o_";
public static final String ROW_SUBMIT_PREFIX = "_rowSubmit_o_";
public static final String COMPOSITE_DELIMITER = "_c_";
@@ -263,7 +245,7 @@

public static String canonicalizeParameter(String paramValue) {
try {
- String cannedStr = defaultWebEncoder.canonicalize(paramValue, esapiCanonicalizeStrict);
+ String cannedStr = StringUtil.defaultWebEncoder.canonicalize(paramValue, StringUtil.esapiCanonicalizeStrict);
if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module);
return cannedStr;
} catch (EncodingException e) {
@@ -748,7 +730,7 @@
}
}
try {
- buf.append(defaultWebEncoder.encodeForURL(name));
+ buf.append(StringUtil.defaultWebEncoder.encodeForURL(name));
} catch (EncodingException e) {
Debug.logError(e, module);
}
@@ -759,7 +741,7 @@
} */
buf.append('=');
try {
- buf.append(defaultWebEncoder.encodeForURL(valueStr));
+ buf.append(StringUtil.defaultWebEncoder.encodeForURL(valueStr));
} catch (EncodingException e) {
Debug.logError(e, module);
}

Modified: ofbiz/trunk/framework/widget/dtd/widget-form.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/dtd/widget-form.xsd?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/dtd/widget-form.xsd (original)
+++ ofbiz/trunk/framework/widget/dtd/widget-form.xsd Sat Feb 7 08:56:19 2009
@@ -454,9 +454,21 @@
</xs:restriction>
</xs:simpleType>
</xs:attribute>
- <xs:attribute type="xs:string" name="use-when">
+ <xs:attribute name="use-when" type="xs:string">
<xs:annotation><xs:documentation>Used to specify a condition that must be true to use this field; the condition should be written using the Java syntax and can operate on values in the form context; if this is used the field will only be put on the field list, and not in the field map meaning that values for this field cannot be overridden.</xs:documentation></xs:annotation>
</xs:attribute>
+ <xs:attribute name="encode-output" default="true">
+ <xs:annotation><xs:documentation>
+ This is for textual output only. If true data shown in fields will be encoded so that it does not interfere with markup of the target output.
+ For example, if output is HTML then data presented will be HTML encoded so that all HTML-specific characters are escaped.
+ </xs:documentation></xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="true"/>
+ <xs:enumeration value="false"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:attribute>
<xs:attribute type="xs:string" name="event">
<xs:annotation><xs:documentation>Used to specify javascript events that should be attached to fields.</xs:documentation></xs:annotation>
</xs:attribute>

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/ModelFormField.java Sat Feb 7 08:56:19 2009
@@ -38,6 +38,7 @@
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.GeneralException;
import org.ofbiz.base.util.ObjectType;
+import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilDateTime;
import org.ofbiz.base.util.UtilFormatOut;
import org.ofbiz.base.util.UtilGenerics;
@@ -62,6 +63,9 @@
import org.ofbiz.service.ModelParam;
import org.ofbiz.service.ModelService;
import org.ofbiz.widget.form.ModelForm.UpdateArea;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.codecs.Codec;
import org.w3c.dom.Element;

import bsh.EvalError;
@@ -97,9 +101,10 @@
protected String sortFieldDescStyle;
protected Integer position = null;
protected String redWhen;
+ protected FlexibleStringExpander useWhen;
+ protected boolean encodeOutput = true;
protected String event;
protected FlexibleStringExpander action;
- protected FlexibleStringExpander useWhen;

protected FieldInfo fieldInfo = null;
protected String idName;
@@ -143,13 +148,12 @@
this.sortFieldAscStyle = fieldElement.getAttribute("sort-field-asc-style");
this.sortFieldDescStyle = fieldElement.getAttribute("sort-field-desc-style");
this.redWhen = fieldElement.getAttribute("red-when");
+ this.setUseWhen(fieldElement.getAttribute("use-when"));
+ this.encodeOutput = !"false".equals(fieldElement.getAttribute("encode-output"));
this.event = fieldElement.getAttribute("event");
this.setAction(fieldElement.hasAttribute("action")? fieldElement.getAttribute("action"): null);
- this.setUseWhen(fieldElement.getAttribute("use-when"));
this.idName = fieldElement.getAttribute("id-name");
- String sepColumns = fieldElement.getAttribute("separate-column");
- if (sepColumns != null && sepColumns.equalsIgnoreCase("true"))
- separateColumn = true;
+ this.separateColumn = "true".equals(fieldElement.getAttribute("separate-column"));
this.requiredField = fieldElement.hasAttribute("required-field") ? "true".equals(fieldElement.getAttribute("required-field")) : null;
this.sortField = fieldElement.hasAttribute("sort-field") ? "true".equals(fieldElement.getAttribute("sort-field")) : null;
this.headerLink = fieldElement.getAttribute("header-link");
@@ -658,13 +662,14 @@
* the context.
*
* @param context
+ * @param encoder
* @return
*/
public String getEntry(Map<String, Object> context) {
return this.getEntry(context, "");
}

- public String getEntry(Map<String, Object> context, String defaultValue) {
+ public String getEntry(Map<String, Object> context , String defaultValue) {
Boolean isError = (Boolean) context.get("isError");
Boolean useRequestParameters = (Boolean) context.get("useRequestParameters");

@@ -673,6 +678,8 @@
TimeZone timeZone = (TimeZone) context.get("timeZone");
if (timeZone == null) timeZone = TimeZone.getDefault();

+ String returnValue;
+
// if useRequestParameters is TRUE then parameters will always be used, if FALSE then parameters will never be used
// if isError is TRUE and useRequestParameters is not FALSE (ie is null or TRUE) then parameters will be used
if ((Boolean.TRUE.equals(isError) && !Boolean.FALSE.equals(useRequestParameters)) || (Boolean.TRUE.equals(useRequestParameters))) {
@@ -682,14 +689,14 @@
if (parameters != null && parameters.get(parameterName) != null) {
Object parameterValue = parameters.get(parameterName);
if (parameterValue instanceof String) {
- return (String) parameterValue;
+ returnValue = (String) parameterValue;
} else {
// we might want to do something else here in the future, but for now this is probably best
Debug.logWarning("Found a non-String parameter value for field [" + this.getModelForm().getName() + "." + this.getFieldName() + "]", module);
- return defaultValue;
+ returnValue = defaultValue;
}
} else {
- return defaultValue;
+ returnValue = defaultValue;
}
} else {
//Debug.logInfo("Getting entry, isError false so getting from Map in context for field " + this.getName() + " of form " + this.modelForm.getName(), module);
@@ -736,26 +743,34 @@
if (retVal instanceof Double || retVal instanceof Float || retVal instanceof BigDecimal) {
NumberFormat nf = NumberFormat.getInstance(locale);
nf.setMaximumFractionDigits(10);
- return nf.format(retVal);
+ returnValue = nf.format(retVal);
} else if (retVal instanceof java.sql.Date) {
DateFormat df = UtilDateTime.toDateFormat(UtilDateTime.DATE_FORMAT, timeZone, null);
- return df.format((java.util.Date) retVal);
+ returnValue = df.format((java.util.Date) retVal);
} else if (retVal instanceof java.sql.Time) {
DateFormat df = UtilDateTime.toTimeFormat(UtilDateTime.TIME_FORMAT, timeZone, null);
- return df.format((java.util.Date) retVal);
+ returnValue = df.format((java.util.Date) retVal);
} else if (retVal instanceof java.sql.Timestamp) {
DateFormat df = UtilDateTime.toDateTimeFormat(UtilDateTime.DATE_TIME_FORMAT, timeZone, null);
- return df.format((java.util.Date) retVal);
+ returnValue = df.format((java.util.Date) retVal);
} else if (retVal instanceof java.util.Date) {
DateFormat df = UtilDateTime.toDateTimeFormat("EEE MMM dd hh:mm:ss z yyyy", timeZone, null);
- return df.format((java.util.Date) retVal);
+ returnValue = df.format((java.util.Date) retVal);
} else {
- return retVal.toString();
+ returnValue = retVal.toString();
}
} else {
- return defaultValue;
+ returnValue = defaultValue;
+ }
+ }
+
+ if (this.getEncodeOutput() && returnValue != null) {
+ StringUtil.SimpleEncoder simpleEncoder = (StringUtil.SimpleEncoder) context.get("simpleEncoder");
+ if (simpleEncoder != null) {
+ returnValue = simpleEncoder.encode(returnValue);
}
}
+ return returnValue;
}

public Map<String, ? extends Object> getMap(Map<String, ? extends Object> context) {
@@ -893,7 +908,7 @@
java.sql.Timestamp timestampVal = null;

//now before going on, check to see if the current entry is a valid date and/or time and get the value
- String value = this.getEntry(context);
+ String value = this.getEntry(context, null);
try {
timestampVal = java.sql.Timestamp.valueOf(value);
} catch (Exception e) {
@@ -1068,12 +1083,16 @@
}

public String getUseWhen(Map<String, Object> context) {
- if (useWhen != null && !useWhen.isEmpty()) {
- return useWhen.expandString(context);
+ if (this.useWhen != null && !this.useWhen.isEmpty()) {
+ return this.useWhen.expandString(context);
} else {
return "";
}
}
+
+ public boolean getEncodeOutput() {
+ return this.encodeOutput;
+ }

public String getIdName() {
if (UtilValidate.isNotEmpty(idName)) {
@@ -1290,6 +1309,10 @@
public void setUseWhen(String string) {
this.useWhen = FlexibleStringExpander.getInstance(string);
}
+
+ public void setEncodeOutput(boolean encodeOutput) {
+ this.encodeOutput = encodeOutput;
+ }

/**
* @param string

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/html/HtmlFormRenderer.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/html/HtmlFormRenderer.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/html/HtmlFormRenderer.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/html/HtmlFormRenderer.java Sat Feb 7 08:56:19 2009
@@ -35,7 +35,6 @@

import javolution.util.FastList;

-import org.apache.commons.lang.StringEscapeUtils;
import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilGenerics;
import org.ofbiz.base.util.UtilHttp;
@@ -386,7 +385,7 @@
String value = modelFormField.getEntry(context, textField.getDefaultValue(context));
if (UtilValidate.isNotEmpty(value)) {
writer.append(" value=\"");
- writer.append(StringEscapeUtils.escapeHtml(value));
+ writer.append(value);
writer.append('"');
}

@@ -484,7 +483,7 @@

String value = modelFormField.getEntry(context, textareaField.getDefaultValue(context));
if (UtilValidate.isNotEmpty(value)) {
- writer.append(StringEscapeUtils.escapeHtml(value));
+ writer.append(value);
}

writer.append("</textarea>");
@@ -1220,7 +1219,7 @@

if (UtilValidate.isNotEmpty(value)) {
writer.append(" value=\"");
- writer.append(StringEscapeUtils.escapeHtml(value));
+ writer.append(value);
writer.append('"');
}

@@ -2580,7 +2579,7 @@
String value = modelFormField.getEntry(context, textField.getDefaultValue(context));
if (UtilValidate.isNotEmpty(value)) {
writer.append(" value=\"");
- writer.append(StringEscapeUtils.escapeHtml(value));
+ writer.append(value);
writer.append('"');
}

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenFopViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenFopViewHandler.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenFopViewHandler.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenFopViewHandler.java Sat Feb 7 08:56:19 2009
@@ -28,6 +28,7 @@
import org.apache.fop.apps.Fop;

import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.StringUtil;
import org.ofbiz.webapp.view.AbstractViewHandler;
import org.ofbiz.webapp.view.ApacheFopWorker;
import org.ofbiz.webapp.view.ViewHandlerException;
@@ -66,6 +67,7 @@

// this is the object used to render forms from their definitions
screens.getContext().put("formStringRenderer", new FoFormRenderer(request, response));
+ screens.getContext().put("simpleEncoder", StringUtil.xmlEncoder);
screens.render(page);
} catch (Exception e) {
renderError("Problems with the response writer/output stream", e, request, response);

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenWidgetViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenWidgetViewHandler.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenWidgetViewHandler.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenWidgetViewHandler.java Sat Feb 7 08:56:19 2009
@@ -29,14 +29,15 @@
import javax.xml.parsers.ParserConfigurationException;

import org.ofbiz.base.util.GeneralException;
+import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilJ2eeCompat;
import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.base.util.template.FreeMarkerWorker;
import org.ofbiz.webapp.view.AbstractViewHandler;
import org.ofbiz.webapp.view.ViewHandlerException;
-import org.ofbiz.widget.html.HtmlScreenRenderer;
import org.ofbiz.widget.html.HtmlFormRenderer;
+import org.ofbiz.widget.html.HtmlScreenRenderer;
import org.xml.sax.SAXException;

import freemarker.template.TemplateModelException;
@@ -93,6 +94,7 @@
// this is the object used to render forms from their definitions
FreeMarkerWorker.getSiteParameters(request, screens.getContext());
screens.getContext().put("formStringRenderer", new HtmlFormRenderer(request, response));
+ screens.getContext().put("simpleEncoder", StringUtil.htmlEncoder);
screens.render(page);
} catch (IOException e) {
throw new ViewHandlerException("Error in the response writer/output stream: " + e.toString(), e);

Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenXmlViewHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenXmlViewHandler.java?rev=741857&r1=741856&r2=741857&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenXmlViewHandler.java (original)
+++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/ScreenXmlViewHandler.java Sat Feb 7 08:56:19 2009
@@ -28,6 +28,7 @@
import javax.xml.parsers.ParserConfigurationException;

import org.ofbiz.base.util.GeneralException;
+import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilJ2eeCompat;
import org.ofbiz.webapp.view.ViewHandlerException;
import org.xml.sax.SAXException;
@@ -58,6 +59,7 @@
screens.populateContextForRequest(request, response, servletContext);
// this is the object used to render forms from their definitions
screens.getContext().put("formStringRenderer", new XmlFormRenderer(request, response));
+ screens.getContext().put("simpleEncoder", StringUtil.xmlEncoder);
screens.render(page);
} catch (IOException e) {
throw new ViewHandlerException("Error in the response writer/output stream: " + e.toString(), e);