svn commit: r742352 - in /ofbiz/trunk/framework: base/config/ base/lib/ base/src/org/ofbiz/base/util/ service/dtd/ service/src/org/ofbiz/service/
Locked
 
|
Author: jonesde
Date: Mon Feb 9 09:34:34 2009 New Revision: 742352 URL: http://svn.apache.org/viewvc?rev=742352&view=rev Log: Added new allow-html tag on the attribute, auto-attribute, and override elements; has 3 options: none, safe, and any; the comments in the XSD file describe what each of these do; the important thing to know is that none is the default meaning no html is allowed; if html is needed use safe and look at the antisamy-esapi.xml file to see policy details; in extreme trust cases use any where any html is allowed; note that many services need updating which should allow at least safe html, and it may take some time to discover all of those and get them handled; please send in issues and requests for service attributes that should allow safe html Added: ofbiz/trunk/framework/base/config/antisamy-esapi.xml (with props) ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar (with props) ofbiz/trunk/framework/base/lib/nekohtml.jar (with props) Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java ofbiz/trunk/framework/service/dtd/services.xsd ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java Added: ofbiz/trunk/framework/base/config/antisamy-esapi.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/antisamy-esapi.xml?rev=742352&view=auto ============================================================================== --- ofbiz/trunk/framework/base/config/antisamy-esapi.xml (added) +++ ofbiz/trunk/framework/base/config/antisamy-esapi.xml Mon Feb 9 09:34:34 2009 @@ -0,0 +1,479 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- +Based on the default ESAPI.properties file, which is BSD licensed. + +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<!-- +W3C rules retrieved from: +http://www.w3.org/TR/html401/struct/global.html +--> + +<!-- +Slashdot allowed tags taken from "Reply" page: +<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote> +--> + +<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="antisamy.xsd"> + <directives> + <directive name="omitXmlDeclaration" value="true"/> + <directive name="omitDoctypeDeclaration" value="true"/> + <directive name="maxInputSize" value="5000"/> + <directive name="embedStyleSheets" value="false"/> + </directives> + <common-regexps> + <!-- + From W3C: + This attribute assigns a class name or set of class names to an + element. Any number of elements may be assigned the same class + name or names. Multiple class names must be separated by white + space characters. + --> + + <regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' --> + <regexp name="onsiteURL" value="([\w\\/\.\?=&;\#-~]+|\#(\w)+)"/> + <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&;:,\?=/\+!]*(\s)*"/> + </common-regexps> + + <!-- + + Tag.name = a, b, div, body, etc. + Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents + Attribute.name = id, class, href, align, width, etc. + Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag) + Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML + + --> + + <!-- + Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no + collisions between any of these attribute names with attribute names of other tags that are for different purposes. + --> + <common-attributes> + <attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in"> + <regexp-list> + <regexp value="[a-zA-Z]{2,20}"/> + </regexp-list> + </attribute> + <attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element"> + <regexp-list> + <regexp name="htmlTitle"/> + </regexp-list> + </attribute> + <attribute name="href" onInvalid="filterTag"> + <regexp-list> + <regexp name="onsiteURL"/> + <regexp name="offsiteURL"/> + </regexp-list> + </attribute> + <attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'"> + <literal-list> + <literal value="center"/> + <literal value="left"/> + <literal value="right"/> + <literal value="justify"/> + <literal value="char"/> + </literal-list> + </attribute> + </common-attributes> + + <!-- + This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue + this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after + a while? + --> + <global-tag-attributes> + <attribute name="title"/> + <attribute name="lang"/> + </global-tag-attributes> + <tag-rules> + <!-- Tags related to JavaScript --> + <tag name="script" action="remove"/> + <tag name="noscript" action="remove"/> + + <!-- Frame & related tags --> + <tag name="iframe" action="remove"/> + <tag name="frameset" action="remove"/> + <tag name="frame" action="remove"/> + <tag name="noframes" action="remove"/> + + <!-- All reasonable formatting tags --> + <tag name="p" action="validate"> + <attribute name="align"/> + </tag> + + <tag name="div" action="validate"/> + <tag name="i" action="validate"/> + <tag name="b" action="validate"/> + <tag name="em" action="validate"/> + <tag name="blockquote" action="validate"/> + <tag name="tt" action="validate"/> + + <tag name="br" action="truncate"/> + + <!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag="" attribute --> + <tag name="quote" action="validate"/> + <tag name="ecode" action="validate"/> + + <!-- Anchor and anchor related tags --> + <tag name="a" action="validate"> + <attribute name="href" onInvalid="filterTag"/> + <attribute name="nohref"> + <literal-list> + <literal value="nohref"/> + <literal value=""/> + </literal-list> + </attribute> + <attribute name="rel"> + <literal-list> + <literal value="nofollow"/> + </literal-list> + </attribute> + </tag> + + <!-- List tags --> + <tag name="ul" action="validate"/> + <tag name="ol" action="validate"/> + <tag name="li" action="validate"/> + </tag-rules> + + <!-- No CSS on Slashdot posts --> + <css-rules> + </css-rules> + + <html-entities> + <entity name="amp" cdata="&"/> + <entity name="nbsp" cdata="&#160;"/> + + <entity name="iexcl" cdata="&#161;"/> <!--inverted exclamation mark, U+00A1 ISOnum --> + <entity name="cent" cdata="&#162;"/> <!--cent sign, U+00A2 ISOnum --> + <entity name="pound" cdata="&#163;"/> <!--pound sign, U+00A3 ISOnum --> + <entity name="curren" cdata="&#164;"/> <!--currency sign, U+00A4 ISOnum --> + <entity name="yen" cdata="&#165;"/> <!--yen sign = yuan sign, U+00A5 ISOnum --> + <entity name="brvbar" cdata="&#166;"/> <!--broken bar = broken vertical bar, U+00A6 ISOnum --> + <entity name="sect" cdata="&#167;"/> <!--section sign, U+00A7 ISOnum --> + <entity name="uml" cdata="&#168;"/> <!--diaeresis = spacing diaeresis, U+00A8 ISOdia --> + <entity name="copy" cdata="&#169;"/> <!--copyright sign, U+00A9 ISOnum --> + <entity name="ordf" cdata="&#170;"/> <!--feminine ordinal indicator, U+00AA ISOnum --> + <entity name="laquo" cdata="&#171;"/> <!--left-pointing double angle quotation mark = left pointing guillemet, U+00AB ISOnum --> + <entity name="not" cdata="&#172;"/> <!--not sign, U+00AC ISOnum --> + <entity name="shy" cdata="&#173;"/> <!--soft hyphen = discretionary hyphen,U+00AD ISOnum --> + <entity name="reg" cdata="&#174;"/> <!--registered sign = registered trade mark sign, U+00AE ISOnum --> + <entity name="macr" cdata="&#175;"/> <!--macron = spacing macron = overline = APL overbar, U+00AF ISOdia --> + <entity name="deg" cdata="&#176;"/> <!--degree sign, U+00B0 ISOnum --> + <entity name="plusmn" cdata="&#177;"/> <!--plus-minus sign = plus-or-minus sign, U+00B1 ISOnum --> + <entity name="sup2" cdata="&#178;"/> <!--superscript two = superscript digit two = squared, U+00B2 ISOnum --> + <entity name="sup3" cdata="&#179;"/> <!--superscript three = superscript digit three= cubed, U+00B3 ISOnum --> + <entity name="acute" cdata="&#180;"/> <!--acute accent = spacing acute, U+00B4 ISOdia --> + <entity name="micro" cdata="&#181;"/> <!--micro sign, U+00B5 ISOnum --> + <entity name="para" cdata="&#182;"/> <!--pilcrow sign = paragraph sign, U+00B6 ISOnum --> + <entity name="middot" cdata="&#183;"/> <!--middle dot = Georgian comma = Greek middle dot, U+00B7 ISOnum --> + <entity name="cedil" cdata="&#184;"/> <!--cedilla = spacing cedilla, U+00B8 ISOdia --> + <entity name="sup1" cdata="&#185;"/> <!--superscript one = superscript digit one,U+00B9 ISOnum --> + <entity name="ordm" cdata="&#186;"/> <!--masculine ordinal indicator, U+00BA ISOnum --> + <entity name="raquo" cdata="&#187;"/> <!--right-pointing double angle quotation mark = right pointing guillemet, U+00BB ISOnum --> + <entity name="frac14" cdata="&#188;"/> <!--vulgar fraction one quarter = fraction one quarter, U+00BC ISOnum --> + <entity name="frac12" cdata="&#189;"/> <!--vulgar fraction one half = fraction one half, U+00BD ISOnum --> + <entity name="frac34" cdata="&#190;"/> <!--vulgar fraction three quarters = fraction three quarters, U+00BE ISOnum --> + <entity name="iquest" cdata="&#191;"/> <!--inverted question mark = turned question mark, U+00BF ISOnum --> + <entity name="Agrave" cdata="&#192;"/> <!--latin capital letter A with grave = latin capital letter A grave,U+00C0 ISOlat1 --> + <entity name="Aacute" cdata="&#193;"/> <!--latin capital letter A with acute,U+00C1 ISOlat1 --> + <entity name="Acirc" cdata="&#194;"/> <!--latin capital letter A with circumflex,U+00C2 ISOlat1 --> + <entity name="Atilde" cdata="&#195;"/> <!--latin capital letter A with tilde,U+00C3 ISOlat1 --> + <entity name="Auml" cdata="&#196;"/> <!--latin capital letter A with diaeresis,U+00C4 ISOlat1 --> + <entity name="Aring" cdata="&#197;"/> <!--latin capital letter A with ring above = latin capital letter A ring, U+00C5 ISOlat1 --> + <entity name="AElig" cdata="&#198;"/> <!--latin capital letter AE = latin capital ligature AE, U+00C6 ISOlat1 --> + <entity name="Ccedil" cdata="&#199;"/> <!--latin capital letter C with cedilla, U+00C7 ISOlat1 --> + <entity name="Egrave" cdata="&#200;"/> <!--latin capital letter E with grave, U+00C8 ISOlat1 --> + <entity name="Eacute" cdata="&#201;"/> <!--latin capital letter E with acute,U+00C9 ISOlat1 --> + <entity name="Ecirc" cdata="&#202;"/> <!--latin capital letter E with circumflex,U+00CA ISOlat1 --> + <entity name="Euml" cdata="&#203;"/> <!--latin capital letter E with diaeresis, U+00CB ISOlat1 --> + <entity name="Igrave" cdata="&#204;"/> <!--latin capital letter I with grave, U+00CC ISOlat1 --> + <entity name="Iacute" cdata="&#205;"/> <!--latin capital letter I with acute, U+00CD ISOlat1 --> + <entity name="Icirc" cdata="&#206;"/> <!--latin capital letter I with circumflex, U+00CE ISOlat1 --> + <entity name="Iuml" cdata="&#207;"/> <!--latin capital letter I with diaeresis, U+00CF ISOlat1 --> + <entity name="ETH" cdata="&#208;"/> <!--latin capital letter ETH, U+00D0 ISOlat1 --> + <entity name="Ntilde" cdata="&#209;"/> <!--latin capital letter N with tilde, U+00D1 ISOlat1 --> + <entity name="Ograve" cdata="&#210;"/> <!--latin capital letter O with grave, U+00D2 ISOlat1 --> + <entity name="Oacute" cdata="&#211;"/> <!--latin capital letter O with acute, U+00D3 ISOlat1 --> + <entity name="Ocirc" cdata="&#212;"/> <!--latin capital letter O with circumflex, U+00D4 ISOlat1 --> + <entity name="Otilde" cdata="&#213;"/> <!--latin capital letter O with tilde, U+00D5 ISOlat1 --> + <entity name="Ouml" cdata="&#214;"/> <!--latin capital letter O with diaeresis, U+00D6 ISOlat1 --> + <entity name="times" cdata="&#215;"/> <!--multiplication sign, U+00D7 ISOnum --> + <entity name="Oslash" cdata="&#216;"/> <!--latin capital letter O with stroke = latin capital letter O slash, U+00D8 ISOlat1 --> + <entity name="Ugrave" cdata="&#217;"/> <!--latin capital letter U with grave, U+00D9 ISOlat1 --> + <entity name="Uacute" cdata="&#218;"/> <!--latin capital letter U with acute, U+00DA ISOlat1 --> + <entity name="Ucirc" cdata="&#219;"/> <!--latin capital letter U with circumflex, U+00DB ISOlat1 --> + <entity name="Uuml" cdata="&#220;"/> <!--latin capital letter U with diaeresis, U+00DC ISOlat1 --> + <entity name="Yacute" cdata="&#221;"/> <!--latin capital letter Y with acute, U+00DD ISOlat1 --> + <entity name="THORN" cdata="&#222;"/> <!--latin capital letter THORN, U+00DE ISOlat1 --> + <entity name="szlig" cdata="&#223;"/> <!--latin small letter sharp s = ess-zed, U+00DF ISOlat1 --> + <entity name="agrave" cdata="&#224;"/> <!--latin small letter a with grave = latin small letter a grave, U+00E0 ISOlat1 --> + <entity name="aacute" cdata="&#225;"/> <!--latin small letter a with acute, U+00E1 ISOlat1 --> + <entity name="acirc" cdata="&#226;"/> <!--latin small letter a with circumflex, U+00E2 ISOlat1 --> + <entity name="atilde" cdata="&#227;"/> <!--latin small letter a with tilde, U+00E3 ISOlat1 --> + <entity name="auml" cdata="&#228;"/> <!--latin small letter a with diaeresis, U+00E4 ISOlat1 --> + <entity name="aring" cdata="&#229;"/> <!--latin small letter a with ring above = latin small letter a ring, U+00E5 ISOlat1 --> + <entity name="aelig" cdata="&#230;"/> <!--latin small letter ae = latin small ligature ae, U+00E6 ISOlat1 --> + <entity name="ccedil" cdata="&#231;"/> <!--latin small letter c with cedilla, U+00E7 ISOlat1 --> + <entity name="egrave" cdata="&#232;"/> <!--latin small letter e with grave, U+00E8 ISOlat1 --> + <entity name="eacute" cdata="&#233;"/> <!--latin small letter e with acute, U+00E9 ISOlat1 --> + <entity name="ecirc" cdata="&#234;"/> <!--latin small letter e with circumflex, U+00EA ISOlat1 --> + <entity name="euml" cdata="&#235;"/> <!--latin small letter e with diaeresis, U+00EB ISOlat1 --> + <entity name="igrave" cdata="&#236;"/> <!--latin small letter i with grave, U+00EC ISOlat1 --> + <entity name="iacute" cdata="&#237;"/> <!--latin small letter i with acute, U+00ED ISOlat1 --> + <entity name="icirc" cdata="&#238;"/> <!--latin small letter i with circumflex, U+00EE ISOlat1 --> + <entity name="iuml" cdata="&#239;"/> <!--latin small letter i with diaeresis, U+00EF ISOlat1 --> + <entity name="eth" cdata="&#240;"/> <!--latin small letter eth, U+00F0 ISOlat1 --> + <entity name="ntilde" cdata="&#241;"/> <!--latin small letter n with tilde, U+00F1 ISOlat1 --> + <entity name="ograve" cdata="&#242;"/> <!--latin small letter o with grave, U+00F2 ISOlat1 --> + <entity name="oacute" cdata="&#243;"/> <!--latin small letter o with acute, U+00F3 ISOlat1 --> + <entity name="ocirc " cdata="&#244;"/> <!--latin small letter o with circumflex, U+00F4 ISOlat1 --> + <entity name="otilde" cdata="&#245;"/> <!--latin small letter o with tilde, U+00F5 ISOlat1 --> + <entity name="ouml" cdata="&#246;"/> <!--latin small letter o with diaeresis, U+00F6 ISOlat1 --> + <entity name="divide" cdata="&#247;"/> <!--division sign, U+00F7 ISOnum --> + <entity name="oslash" cdata="&#248;"/> <!--latin small letter o with stroke, = latin small letter o slash, U+00F8 ISOlat1 --> + <entity name="ugrave" cdata="&#249;"/> <!--latin small letter u with grave, U+00F9 ISOlat1 --> + <entity name="uacute" cdata="&#250;"/> <!--latin small letter u with acute, U+00FA ISOlat1 --> + <entity name="ucirc" cdata="&#251;"/> <!--latin small letter u with circumflex, U+00FB ISOlat1 --> + <entity name="uuml" cdata="&#252;"/> <!--latin small letter u with diaeresis, U+00FC ISOlat1 --> + <entity name="yacute" cdata="&#253;"/> <!--latin small letter y with acute, U+00FD ISOlat1 --> + <entity name="thorn" cdata="&#254;"/> <!--latin small letter thorn, U+00FE ISOlat1 --> + <entity name="yuml" cdata="&#255;"/> <!--latin small letter y with diaeresis, U+00FF ISOlat1 --> + + <entity name="fnof" cdata="&#402;"/> <!--latin small f with hook = function = florin, U+0192 ISOtech --> + + <!-- Greek --> + <entity name="Alpha" cdata="&#913;"/> <!--greek capital letter alpha, U+0391 --> + <entity name="Beta" cdata="&#914;"/> <!--greek capital letter beta, U+0392 --> + <entity name="Gamma" cdata="&#915;"/> <!--greek capital letter gamma, U+0393 ISOgrk3 --> + <entity name="Delta" cdata="&#916;"/> <!--greek capital letter delta, U+0394 ISOgrk3 --> + <entity name="Epsilon" cdata="&#917;"/> <!--greek capital letter epsilon, U+0395 --> + <entity name="Zeta" cdata="&#918;"/> <!--greek capital letter zeta, U+0396 --> + <entity name="Eta" cdata="&#919;"/> <!--greek capital letter eta, U+0397 --> + <entity name="Theta" cdata="&#920;"/> <!--greek capital letter theta, U+0398 ISOgrk3 --> + <entity name="Iota" cdata="&#921;"/> <!--greek capital letter iota, U+0399 --> + <entity name="Kappa" cdata="&#922;"/> <!--greek capital letter kappa, U+039A --> + <entity name="Lambda" cdata="&#923;"/> <!--greek capital letter lambda, U+039B ISOgrk3 --> + <entity name="Mu" cdata="&#924;"/> <!--greek capital letter mu, U+039C --> + <entity name="Nu" cdata="&#925;"/> <!--greek capital letter nu, U+039D --> + <entity name="Xi" cdata="&#926;"/> <!--greek capital letter xi, U+039E ISOgrk3 --> + <entity name="Omicron" cdata="&#927;"/> <!--greek capital letter omicron, U+039F --> + <entity name="Pi" cdata="&#928;"/> <!--greek capital letter pi, U+03A0 ISOgrk3 --> + <entity name="Rho" cdata="&#929;"/> <!--greek capital letter rho, U+03A1 --> + <!-- there is no Sigmaf, and no U+03A2 character either --> + <entity name="Sigma" cdata="&#931;"/> <!--greek capital letter sigma, U+03A3 ISOgrk3 --> + <entity name="Tau" cdata="&#932;"/> <!--greek capital letter tau, U+03A4 --> + <entity name="Upsilon" cdata="&#933;"/> <!--greek capital letter upsilon,U+03A5 ISOgrk3 --> + <entity name="Phi" cdata="&#934;"/> <!--greek capital letter phi,U+03A6 ISOgrk3 --> + <entity name="Chi" cdata="&#935;"/> <!--greek capital letter chi, U+03A7 --> + <entity name="Psi" cdata="&#936;"/> <!--greek capital letter psi,U+03A8 ISOgrk3 --> + <entity name="Omega" cdata="&#937;"/> <!--greek capital letter omega,U+03A9 ISOgrk3 --> + + <entity name="alpha" cdata="&#945;"/> <!--greek small letter alpha,U+03B1 ISOgrk3 --> + <entity name="beta" cdata="&#946;"/> <!--greek small letter beta, U+03B2 ISOgrk3 --> + <entity name="gamma" cdata="&#947;"/> <!--greek small letter gamma,U+03B3 ISOgrk3 --> + <entity name="delta" cdata="&#948;"/> <!--greek small letter delta,U+03B4 ISOgrk3 --> + <entity name="epsilon" cdata="&#949;"/> <!--greek small letter epsilon,U+03B5 ISOgrk3 --> + <entity name="zeta" cdata="&#950;"/> <!--greek small letter zeta, U+03B6 ISOgrk3 --> + <entity name="eta" cdata="&#951;"/> <!--greek small letter eta, U+03B7 ISOgrk3 --> + <entity name="theta" cdata="&#952;"/> <!--greek small letter theta, U+03B8 ISOgrk3 --> + <entity name="iota" cdata="&#953;"/> <!--greek small letter iota, U+03B9 ISOgrk3 --> + <entity name="kappa" cdata="&#954;"/> <!--greek small letter kappa,U+03BA ISOgrk3 --> + <entity name="lambda" cdata="&#955;"/> <!--greek small letter lambda, U+03BB ISOgrk3 --> + <entity name="mu" cdata="&#956;"/> <!--greek small letter mu, U+03BC ISOgrk3 --> + <entity name="nu" cdata="&#957;"/> <!--greek small letter nu, U+03BD ISOgrk3 --> + <entity name="xi" cdata="&#958;"/> <!--greek small letter xi, U+03BE ISOgrk3 --> + <entity name="omicron" cdata="&#959;"/> <!--greek small letter omicron, U+03BF NEW --> + <entity name="pi" cdata="&#960;"/> <!--greek small letter pi, U+03C0 ISOgrk3 --> + <entity name="rho" cdata="&#961;"/> <!--greek small letter rho, U+03C1 ISOgrk3 --> + <entity name="sigmaf" cdata="&#962;"/> <!--greek small letter final sigma, U+03C2 ISOgrk3 --> + <entity name="sigma" cdata="&#963;"/> <!--greek small letter sigma, U+03C3 ISOgrk3 --> + <entity name="tau" cdata="&#964;"/> <!--greek small letter tau, U+03C4 ISOgrk3 --> + <entity name="upsilon" cdata="&#965;"/> <!--greek small letter upsilon, U+03C5 ISOgrk3 --> + <entity name="phi" cdata="&#966;"/> <!--greek small letter phi, U+03C6 ISOgrk3 --> + <entity name="chi" cdata="&#967;"/> <!--greek small letter chi, U+03C7 ISOgrk3 --> + <entity name="psi" cdata="&#968;"/> <!--greek small letter psi, U+03C8 ISOgrk3 --> + <entity name="omega" cdata="&#969;"/> <!--greek small letter omega, U+03C9 ISOgrk3 --> + <entity name="thetasym" cdata="&#977;"/> <!--greek small letter theta symbol, U+03D1 NEW --> + <entity name="upsih" cdata="&#978;"/> <!--greek upsilon with hook symbol, U+03D2 NEW --> + <entity name="piv" cdata="&#982;"/> <!--greek pi symbol, U+03D6 ISOgrk3 --> + + <!-- General Punctuation --> + <entity name="bull" cdata="&#8226;"/> <!--bullet = black small circle, U+2022 ISOpub --> + <!-- bullet is NOT the same as bullet operator, U+2219 --> + <entity name="hellip" cdata="&#8230;"/> <!--horizontal ellipsis = three dot leader, U+2026 ISOpub --> + <entity name="prime" cdata="&#8242;"/> <!--prime = minutes = feet, U+2032 ISOtech --> + <entity name="Prime" cdata="&#8243;"/> <!--double prime = seconds = inches, U+2033 ISOtech --> + <entity name="oline" cdata="&#8254;"/> <!--overline = spacing overscore, U+203E NEW --> + <entity name="frasl" cdata="&#8260;"/> <!--fraction slash, U+2044 NEW --> + + <!-- Letterlike Symbols --> + <entity name="weierp" cdata="&#8472;"/> <!--script capital P = power set = Weierstrass p, U+2118 ISOamso --> + <entity name="image" cdata="&#8465;"/> <!--blackletter capital I = imaginary part, U+2111 ISOamso --> + <entity name="real" cdata="&#8476;"/> <!--blackletter capital R = real part symbol, U+211C ISOamso --> + <entity name="trade" cdata="&#8482;"/> <!--trade mark sign, U+2122 ISOnum --> + <entity name="alefsym" cdata="&#8501;"/> <!--alef symbol = first transfinite cardinal, U+2135 NEW --> + <!-- alef symbol is NOT the same as hebrew letter alef, + U+05D0 although the same glyph could be used to depict both characters --> + + <!-- Arrows --> + <entity name="larr" cdata="&#8592;"/> <!--leftwards arrow, U+2190 ISOnum --> + <entity name="uarr" cdata="&#8593;"/> <!--upwards arrow, U+2191 ISOnum--> + <entity name="rarr" cdata="&#8594;"/> <!--rightwards arrow, U+2192 ISOnum --> + <entity name="darr" cdata="&#8595;"/> <!--downwards arrow, U+2193 ISOnum --> + <entity name="harr" cdata="&#8596;"/> <!--left right arrow, U+2194 ISOamsa --> + <entity name="crarr" cdata="&#8629;"/> <!--downwards arrow with corner leftwards + = carriage return, U+21B5 NEW --> + <entity name="lArr" cdata="&#8656;"/> <!--leftwards double arrow, U+21D0 ISOtech --> + + <!-- ISO 10646 does not say that lArr is the same as the 'is implied by' arrow + but also does not have any other character for that function. So ? lArr can + be used for 'is implied by' as ISOtech suggests --> + + <entity name="uArr" cdata="&#8657;"/> <!--upwards double arrow, U+21D1 ISOamsa --> + <entity name="rArr" cdata="&#8658;"/> <!--rightwards double arrow, U+21D2 ISOtech --> + + <!-- ISO 10646 does not say this is the 'implies' character but does not have + another character with this function so ? + rArr can be used for 'implies' as ISOtech suggests --> + + <entity name="dArr" cdata="&#8659;"/> <!--downwards double arrow, U+21D3 ISOamsa --> + <entity name="hArr" cdata="&#8660;"/> <!--left right double arrow, U+21D4 ISOamsa --> + + <!-- Mathematical Operators --> + <entity name="forall" cdata="&#8704;"/> <!--for all, U+2200 ISOtech --> + <entity name="part" cdata="&#8706;"/> <!--partial differential, U+2202 ISOtech --> + <entity name="exist" cdata="&#8707;"/> <!--there exists, U+2203 ISOtech --> + <entity name="empty" cdata="&#8709;"/> <!--empty set = null set = diameter,U+2205 ISOamso --> + <entity name="nabla" cdata="&#8711;"/> <!--nabla = backward difference, U+2207 ISOtech --> + <entity name="isin" cdata="&#8712;"/> <!--element of, U+2208 ISOtech --> + <entity name="notin" cdata="&#8713;"/> <!--not an element of, U+2209 ISOtech --> + <entity name="ni" cdata="&#8715;"/> <!--contains as member, U+220B ISOtech --> + + <!-- should there be a more memorable name than 'ni'? --> + <entity name="prod" cdata="&#8719;"/> <!--n-ary product = product sign, U+220F ISOamsb --> + + <!-- prod is NOT the same character as U+03A0 'greek capital letter pi' though + the same glyph might be used for both --> + + <entity name="sum" cdata="&#8721;"/> <!--n-ary sumation, U+2211 ISOamsb --> + + <!-- sum is NOT the same character as U+03A3 'greek capital letter sigma' + though the same glyph might be used for both --> + + <entity name="minus" cdata="&#8722;"/> <!--minus sign, U+2212 ISOtech --> + <entity name="lowast" cdata="&#8727;"/> <!--asterisk operator, U+2217 ISOtech --> + <entity name="radic" cdata="&#8730;"/> <!--square root = radical sign, U+221A ISOtech --> + <entity name="prop" cdata="&#8733;"/> <!--proportional to, U+221D ISOtech --> + <entity name="infin" cdata="&#8734;"/> <!--infinity, U+221E ISOtech --> + <entity name="ang" cdata="&#8736;"/> <!--angle, U+2220 ISOamso --> + <entity name="and" cdata="&#8743;"/> <!--logical and = wedge, U+2227 ISOtech --> + <entity name="or" cdata="&#8744;"/> <!--logical or = vee, U+2228 ISOtech --> + <entity name="cap" cdata="&#8745;"/> <!--intersection = cap, U+2229 ISOtech --> + <entity name="cup" cdata="&#8746;"/> <!--union = cup, U+222A ISOtech --> + <entity name="int" cdata="&#8747;"/> <!--integral, U+222B ISOtech --> + <entity name="there4" cdata="&#8756;"/> <!--therefore, U+2234 ISOtech --> + <entity name="sim" cdata="&#8764;"/> <!--tilde operator = varies with = similar to, U+223C ISOtech --> + + <!-- tilde operator is NOT the same character as the tilde, U+007E, + although the same glyph might be used to represent both --> + + <entity name="cong" cdata="&#8773;"/> <!--approximately equal to, U+2245 ISOtech --> + <entity name="asymp" cdata="&#8776;"/> <!--almost equal to = asymptotic to, U+2248 ISOamsr --> + <entity name="ne" cdata="&#8800;"/> <!--not equal to, U+2260 ISOtech --> + <entity name="equiv" cdata="&#8801;"/> <!--identical to, U+2261 ISOtech --> + <entity name="le" cdata="&#8804;"/> <!--less-than or equal to, U+2264 ISOtech --> + <entity name="ge" cdata="&#8805;"/> <!--greater-than or equal to, U+2265 ISOtech --> + <entity name="sub" cdata="&#8834;"/> <!--subset of, U+2282 ISOtech --> + <entity name="sup" cdata="&#8835;"/> <!--superset of, U+2283 ISOtech --> + + <!-- note that nsup, 'not a superset of, U+2283' is not covered by the Symbol + font encoding and is not included. Should it be, for symmetry? + It is in ISOamsn --> + + <entity name="nsub" cdata="&#8836;"/> <!--not a subset of, U+2284 ISOamsn --> + <entity name="sube" cdata="&#8838;"/> <!--subset of or equal to, U+2286 ISOtech --> + <entity name="supe" cdata="&#8839;"/> <!--superset of or equal to, U+2287 ISOtech --> + <entity name="oplus" cdata="&#8853;"/> <!--circled plus = direct sum, U+2295 ISOamsb --> + <entity name="otimes" cdata="&#8855;"/> <!--circled times = vector product, U+2297 ISOamsb --> + <entity name="perp" cdata="&#8869;"/> <!--up tack = orthogonal to = perpendicular, U+22A5 ISOtech --> + <entity name="sdot" cdata="&#8901;"/> <!--dot operator, U+22C5 ISOamsb --> + <!-- dot operator is NOT the same character as U+00B7 middle dot --> + + <!-- Miscellaneous Technical --> + <entity name="lceil" cdata="&#8968;"/> <!--left ceiling = apl upstile, U+2308 ISOamsc --> + <entity name="rceil" cdata="&#8969;"/> <!--right ceiling, U+2309 ISOamsc --> + <entity name="lfloor" cdata="&#8970;"/> <!--left floor = apl downstile, U+230A ISOamsc --> + <entity name="rfloor" cdata="&#8971;"/> <!--right floor, U+230B ISOamsc --> + <entity name="lang" cdata="&#9001;"/> <!--left-pointing angle bracket = bra, U+2329 ISOtech --> + <!-- lang is NOT the same character as U+003C 'less than' + or U+2039 'single left-pointing angle quotation mark' --> + <entity name="rang" cdata="&#9002;"/> <!--right-pointing angle bracket = ket, U+232A ISOtech --> + <!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single right-pointing angle quotation mark' --> + + <!-- Geometric Shapes --> + <entity name="loz" cdata="&#9674;"/> <!--lozenge, U+25CA ISOpub --> + + <!-- Miscellaneous Symbols --> + <entity name="spades" cdata="&#9824;"/> <!--black spade suit, U+2660 ISOpub --> + <!-- black here seems to mean filled as opposed to hollow --> + <entity name="clubs" cdata="&#9827;"/> <!--black club suit = shamrock, U+2663 ISOpub --> + <entity name="hearts" cdata="&#9829;"/> <!--black heart suit = valentine, U+2665 ISOpub --> + <entity name="diams" cdata="&#9830;"/> <!--black diamond suit, U+2666 ISOpub --> + + <entity name="quot" cdata="&#34;" /> <!--quotation mark = APL quote, U+0022 ISOnum --> + <!-- Latin Extended-A --> + <entity name="OElig" cdata="&#338;" /> <!--latin capital ligature OE, U+0152 ISOlat2 --> + <entity name="oelig" cdata="&#339;" /> <!--latin small ligature oe, U+0153 ISOlat2 --> + <!-- ligature is a misnomer, this is a separate character in some languages --> + <entity name="Scaron" cdata="&#352;" /> <!--latin capital letter S with caron, U+0160 ISOlat2 --> + <entity name="scaron" cdata="&#353;" /> <!--latin small letter s with caron, U+0161 ISOlat2 --> + <entity name="Yuml" cdata="&#376;" /> <!--latin capital letter Y with diaeresis, U+0178 ISOlat2 --> + + <!-- Spacing Modifier Letters --> + <entity name="circ" cdata="&#710;" /> <!--modifier letter circumflex accent, U+02C6 ISOpub --> + <entity name="tilde" cdata="&#732;" /> <!--small tilde, U+02DC ISOdia --> + + <!-- General Punctuation --> + <entity name="ensp" cdata="&#8194;"/> <!--en space, U+2002 ISOpub --> + <entity name="emsp" cdata="&#8195;"/> <!--em space, U+2003 ISOpub --> + <entity name="thinsp" cdata="&#8201;"/> <!--thin space, U+2009 ISOpub --> + <entity name="zwnj" cdata="&#8204;"/> <!--zero width non-joiner, U+200C NEW RFC 2070 --> + <entity name="zwj" cdata="&#8205;"/> <!--zero width joiner, U+200D NEW RFC 2070 --> + <entity name="lrm" cdata="&#8206;"/> <!--left-to-right mark, U+200E NEW RFC 2070 --> + <entity name="rlm" cdata="&#8207;"/> <!--right-to-left mark, U+200F NEW RFC 2070 --> + <entity name="ndash" cdata="&#8211;"/> <!--en dash, U+2013 ISOpub --> + <entity name="mdash" cdata="&#8212;"/> <!--em dash, U+2014 ISOpub --> + <entity name="lsquo" cdata="&#8216;"/> <!--left single quotation mark, U+2018 ISOnum --> + <entity name="rsquo" cdata="&#8217;"/> <!--right single quotation mark, U+2019 ISOnum --> + <entity name="sbquo" cdata="&#8218;"/> <!--single low-9 quotation mark, U+201A NEW --> + <entity name="ldquo" cdata="&#8220;"/> <!--left double quotation mark, U+201C ISOnum --> + <entity name="rdquo" cdata="&#8221;"/> <!--right double quotation mark, U+201D ISOnum --> + <entity name="bdquo" cdata="&#8222;"/> <!--double low-9 quotation mark, U+201E NEW --> + <entity name="dagger" cdata="&#8224;"/> <!--dagger, U+2020 ISOpub --> + <entity name="Dagger" cdata="&#8225;"/> <!--double dagger, U+2021 ISOpub --> + <entity name="permil" cdata="&#8240;"/> <!--per mille sign, U+2030 ISOtech --> + <entity name="lsaquo" cdata="&#8249;"/> <!--single left-pointing angle quotation mark, U+2039 ISO proposed --> + <!-- lsaquo is proposed but not yet ISO standardized --> + <entity name="rsaquo" cdata="&#8250;"/> <!--single right-pointing angle quotation mark, U+203A ISO proposed --> + <!-- rsaquo is proposed but not yet ISO standardized --> + <entity name="euro" cdata="&#8364;" /> <!--euro sign, U+20AC NEW --> + </html-entities> +</anti-samy-rules> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml ------------------------------------------------------------------------------ svn:executable = * Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml ------------------------------------------------------------------------------ svn:keywords = "Date Rev Author URL Id" Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml ------------------------------------------------------------------------------ svn:mime-type = text/xml Added: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar?rev=742352&view=auto ============================================================================== Binary file - no diff available. Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar ------------------------------------------------------------------------------ svn:executable = * Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: ofbiz/trunk/framework/base/lib/nekohtml.jar URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/nekohtml.jar?rev=742352&view=auto ============================================================================== Binary file - no diff available. Propchange: ofbiz/trunk/framework/base/lib/nekohtml.jar ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original) +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Feb 9 09:34:34 2009 @@ -18,10 +18,6 @@ *******************************************************************************/ package org.ofbiz.base.util; -import javolution.util.FastList; -import javolution.util.FastMap; -import javolution.util.FastSet; - import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.net.URLEncoder; @@ -34,15 +30,23 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import javolution.util.FastList; +import javolution.util.FastMap; +import javolution.util.FastSet; + import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.binary.Hex; import org.owasp.esapi.Encoder; +import org.owasp.esapi.ValidationErrorList; +import org.owasp.esapi.Validator; import org.owasp.esapi.codecs.CSSCodec; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.HTMLEntityCodec; import org.owasp.esapi.codecs.JavaScriptCodec; import org.owasp.esapi.codecs.PercentCodec; +import org.owasp.esapi.errors.EncodingException; import org.owasp.esapi.reference.DefaultEncoder; +import org.owasp.esapi.reference.DefaultValidator; /** * Misc String Utility Functions @@ -55,12 +59,12 @@ /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */ public static final boolean esapiCanonicalizeStrict = false; public static final Encoder defaultWebEncoder; - //public static final Validator defaultWebValidator; + public static final Validator defaultWebValidator; static { // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec()); defaultWebEncoder = new DefaultEncoder(codecList); - //defaultWebValidator = new DefaultValidator(); + defaultWebValidator = new DefaultValidator(); } public static final SimpleEncoder htmlEncoder = new HtmlEncoder(); @@ -82,6 +86,8 @@ } } + // ================== Begin General Functions ================== + public static String internString(String value) { return value != null ? value.intern() : null; } @@ -459,6 +465,72 @@ } /** + * Uses a black-list approach for necessary characters for HTML. + * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and "%" (if not followed by a space). + * + * @param value + * @param errorMessageList + */ + public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList) { + if (UtilValidate.isEmpty(value)) return value; + + // canonicalize, strict (error on double-encoding) + try { + value = defaultWebEncoder.canonicalize(value, true); + } catch (EncodingException e) { + // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical + Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module); + errorMessageList.add("In field [" + valueName + "] found character espacing (mixed or double) that is not allowed or other format consistency error: " + e.toString()); + } + + // check for "<", ">" + if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) { + errorMessageList.add("In field [" + valueName + "] greater-than (>) and less-than (<) symbols are not allowed."); + } + + // check for & not followed by a space (can be used for escaping chars) + int curAmpIndex = value.indexOf("&"); + while (curAmpIndex >= 0) { + if (' ' != value.charAt(curAmpIndex + 1)) { + errorMessageList.add("In field [" + valueName + "] the ampersand (&) symbol is only allowed if followed by a space."); + // once we find one like this we have the message so no need to check for more + break; + } + curAmpIndex = value.indexOf("&", curAmpIndex + 1); + } + + // check for % not followed by a space (can be used for escaping chars) + int curPercIndex = value.indexOf("%"); + while (curPercIndex >= 0) { + if (' ' != value.charAt(curPercIndex + 1)) { + errorMessageList.add("In field [" + valueName + "] the percent (%) symbol is only allowed if followed by a space."); + // once we find one like this we have the message so no need to check for more + break; + } + curPercIndex = value.indexOf("%", curPercIndex + 1); + } + + // TODO: anything else to check for that can be used to get HTML or JavaScript going without these characters? + + return value; + } + + /** + * Uses a white-list approach to check for safe HTML. + * Based on the ESAPI validator configured in the antisamy-esapi.xml file. + * + * @param value + * @param errorMessageList + * @return String with updated value if needed for safer HTML. + */ + public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) { + ValidationErrorList vel = new ValidationErrorList(); + value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel); + errorMessageList.addAll(vel.errors()); + return value; + } + + /** * Translates various HTML characters in a string so that the string can be displayed in a browser safely * <p> * This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or @@ -473,6 +545,8 @@ * <li>'>' (greater than) becomes '>' * <li>\n (Carriage Return) becomes '<br>gt;' * </ol> + * + * @deprecated Use StringUtil.htmlEncoder instead. */ public static String htmlSpecialChars(String html, boolean doubleQuotes, boolean singleQuotes, boolean insertBR) { html = StringUtil.replaceString(html, "&", "&"); Modified: ofbiz/trunk/framework/service/dtd/services.xsd URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/service/dtd/services.xsd (original) +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Feb 9 09:34:34 2009 @@ -268,6 +268,16 @@ </xs:restriction> </xs:simpleType> </xs:attribute> + <xs:attribute name="allow-html" use="optional" default="none"> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element.</xs:documentation></xs:annotation> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> + <xs:enumeration value="none"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> </xs:attributeGroup> <xs:element name="exclude"> <xs:complexType> @@ -321,6 +331,22 @@ </xs:restriction> </xs:simpleType> </xs:attribute> + <xs:attribute name="allow-html" use="optional" default="none"> + <xs:annotation><xs:documentation> + Applies only to String fields. + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating input from users, other systems, etc). + Defualts to "none" meaning no HTML is allowed (will result in an error message). + If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should be safe for both internal and public users. + In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check the HTML content at all. + </xs:documentation></xs:annotation> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> + <xs:enumeration value="none"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> </xs:attributeGroup> <xs:element name="override"> <xs:complexType> @@ -362,6 +388,16 @@ </xs:restriction> </xs:simpleType> </xs:attribute> + <xs:attribute name="allow-html" use="optional"> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="any"/> + <xs:enumeration value="safe"/> + <xs:enumeration value="none"/> + </xs:restriction> + </xs:simpleType> + </xs:attribute> </xs:attributeGroup> <xs:element name="type-validate"> <xs:complexType> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java (original) +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java Mon Feb 9 09:34:34 2009 @@ -22,9 +22,8 @@ import javolution.util.FastMap; -import org.ofbiz.entity.GenericDelegator; -import org.ofbiz.entity.GenericEntityException; import org.ofbiz.base.util.Debug; +import org.ofbiz.entity.GenericDelegator; /** * Generic Services Local Dispatcher @@ -130,15 +129,15 @@ } public void disableEcas(){ - this.ecasDisabled = true; + ecasDisabled = true; } public void enableEcas() { - this.ecasDisabled = false; + ecasDisabled = false; } public boolean isEcasDisabled() { - return this.ecasDisabled; + return ecasDisabled; } /** Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java (original) +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java Mon Feb 9 09:34:34 2009 @@ -35,6 +35,7 @@ /** * Generic Service Model Parameter */ +@SuppressWarnings("serial") public class ModelParam implements Serializable { public static final String module = ModelParam.class.getName(); @@ -77,6 +78,9 @@ public boolean formDisplay = true; public boolean overrideFormDisplay = false; + /** Default value */ + public String allowHtml = null; + /** Is this Parameter set internally? */ public boolean internal = false; @@ -97,6 +101,7 @@ this.overrideOptional = param.overrideOptional; this.formDisplay = param.formDisplay; this.overrideFormDisplay = param.overrideFormDisplay; + this.allowHtml = param.allowHtml; this.internal = param.internal; } @@ -190,6 +195,7 @@ buf.append(overrideOptional).append("::"); buf.append(formDisplay).append("::"); buf.append(overrideFormDisplay).append("::"); + buf.append(allowHtml).append("::"); buf.append(defaultValue).append("::"); buf.append(internal); if (validators != null) Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original) +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Feb 9 09:34:34 2009 @@ -58,7 +58,7 @@ import org.ofbiz.base.util.Debug; import org.ofbiz.base.util.GeneralException; import org.ofbiz.base.util.ObjectType; -import org.ofbiz.base.util.UtilDateTime; +import org.ofbiz.base.util.StringUtil; import org.ofbiz.base.util.UtilMisc; import org.ofbiz.base.util.UtilProperties; import org.ofbiz.base.util.UtilValidate; @@ -75,6 +75,7 @@ /** * Generic Service Model Class */ +@SuppressWarnings("serial") public class ModelService extends AbstractMap<String, Object> implements Serializable { private static final Field[] MODEL_SERVICE_FIELDS; private static final Map<String, Field> MODEL_SERVICE_FIELD_MAP = FastMap.newInstance(); @@ -459,16 +460,16 @@ * @param test The Map object to test * @param mode Test either mode IN or mode OUT */ - public void validate(Map<String, ? extends Object> test, String mode, Locale locale) throws ServiceValidationException { + public void validate(Map<String, Object> context, String mode, Locale locale) throws ServiceValidationException { Map<String, String> requiredInfo = FastMap.newInstance(); Map<String, String> optionalInfo = FastMap.newInstance(); boolean verboseOn = Debug.verboseOn(); - if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + test, module); + if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + context, module); // do not validate results with errors - if (mode.equals(OUT_PARAM) && test != null && test.containsKey(RESPONSE_MESSAGE)) { - if (RESPOND_ERROR.equals(test.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(test.get(RESPONSE_MESSAGE))) { + if (mode.equals(OUT_PARAM) && context != null && context.containsKey(RESPONSE_MESSAGE)) { + if (RESPOND_ERROR.equals(context.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(context.get(RESPONSE_MESSAGE))) { if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : response was an error, not validating.", module); return; } @@ -490,8 +491,8 @@ Map<String, Object> requiredTest = FastMap.newInstance(); Map<String, Object> optionalTest = FastMap.newInstance(); - if (test == null) test = FastMap.newInstance(); - requiredTest.putAll(test); + if (context == null) context = FastMap.newInstance(); + requiredTest.putAll(context); List<String> requiredButNull = FastList.newInstance(); List<String> keyList = FastList.newInstance(); @@ -545,6 +546,30 @@ Debug.logError("[ModelService.validate] : {" + name + "} : (" + mode + ") Required test error: " + e.toString(), module); throw e; } + + // required and type validation complete, do allow-html validation + if ("IN".equals(mode)) { + List<String> errorMessageList = FastList.newInstance(); + for (ModelParam modelParam: this.contextInfo.values()) { + if (context.get(modelParam.name) != null && + ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) && + !"any".equals(modelParam.allowHtml) && + ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) { + // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input parameter validation + String value = (String) context.get(modelParam.name); + if ("none".equals(modelParam.allowHtml)) { + value = StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList); + context.put(modelParam.name, value); + } else if ("safe".equals(modelParam.allowHtml)) { + value = StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList); + context.put(modelParam.name, value); + } + } + } + if (errorMessageList.size() > 0) { + throw new ServiceValidationException(errorMessageList, this, mode); + } + } } /** Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?rev=742352&r1=742351&r2=742352&view=diff ============================================================================== --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java (original) +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java Mon Feb 9 09:34:34 2009 @@ -56,7 +56,7 @@ /** * Generic Service - Service Definition Reader */ - +@SuppressWarnings("serial") public class ModelServiceReader implements Serializable { public static final String module = ModelServiceReader.class.getName(); @@ -510,6 +510,7 @@ param.mode = UtilXml.checkEmpty(autoElement.getAttribute("mode")).intern(); param.optional = "true".equalsIgnoreCase(autoElement.getAttribute("optional")); // default to true param.formDisplay = !"false".equalsIgnoreCase(autoElement.getAttribute("form-display")); // default to false + param.allowHtml = UtilXml.checkEmpty(autoElement.getAttribute("allow-html"), "none").intern(); // default to none modelParamMap.put(field.getName(), param); } } @@ -532,7 +533,7 @@ Debug.logError(e, "Problem loading auto-attributes [" + entityName + "] for " + service.name, module); } catch (GeneralException e) { Debug.logError(e, "Cannot load auto-attributes : " + e.getMessage() + " for " + service.name, module); - } + } } } @@ -551,6 +552,7 @@ param.formLabel = attribute.hasAttribute("form-label")?attribute.getAttribute("form-label").intern():null; param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form-display")); // default to false + param.allowHtml = UtilXml.checkEmpty(attribute.getAttribute("allow-html"), "none").intern(); // default to none // default value String defValue = attribute.getAttribute("default-value"); @@ -644,8 +646,8 @@ } protected void createOverrideDefs(Element baseElement, ModelService service) { - for (Element attribute: UtilXml.childElementList(baseElement, "override")) { - String name = UtilXml.checkEmpty(attribute.getAttribute("name")); + for (Element overrideElement: UtilXml.childElementList(baseElement, "override")) { + String name = UtilXml.checkEmpty(overrideElement.getAttribute("name")); ModelParam param = service.getParam(name); boolean directToParams = true; if (param == null) { @@ -662,38 +664,42 @@ if (param != null) { // set only modified values - if (attribute.getAttribute("type") != null && attribute.getAttribute("type").length() > 0) { - param.type = UtilXml.checkEmpty(attribute.getAttribute("type")).intern(); + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("type"))) { + param.type = UtilXml.checkEmpty(overrideElement.getAttribute("type")).intern(); } - if (attribute.getAttribute("mode") != null && attribute.getAttribute("mode").length() > 0) { - param.mode = UtilXml.checkEmpty(attribute.getAttribute("mode")).intern(); + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("mode"))) { + param.mode = UtilXml.checkEmpty(overrideElement.getAttribute("mode")).intern(); } - if (attribute.getAttribute("entity-name") != null && attribute.getAttribute("entity-name").length() > 0) { - param.entityName = UtilXml.checkEmpty(attribute.getAttribute("entity-name")).intern(); + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("entity-name"))) { + param.entityName = UtilXml.checkEmpty(overrideElement.getAttribute("entity-name")).intern(); } - if (attribute.getAttribute("field-name") != null && attribute.getAttribute("field-name").length() > 0) { - param.fieldName = UtilXml.checkEmpty(attribute.getAttribute("field-name")).intern(); + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("field-name"))) { + param.fieldName = UtilXml.checkEmpty(overrideElement.getAttribute("field-name")).intern(); } - if (attribute.getAttribute("form-label") != null && attribute.getAttribute("form-label").length() > 0) { - param.formLabel = UtilXml.checkEmpty(attribute.getAttribute("form-label")).intern(); + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-label"))) { + param.formLabel = UtilXml.checkEmpty(overrideElement.getAttribute("form-label")).intern(); } - if (attribute.getAttribute("optional") != null && attribute.getAttribute("optional").length() > 0) { - param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("optional"))) { + param.optional = "true".equalsIgnoreCase(overrideElement.getAttribute("optional")); // default to true param.overrideOptional = true; } - if (attribute.getAttribute("form-display") != null && attribute.getAttribute("form-display").length() > 0) { - param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form-display")); // default to false + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-display"))) { + param.formDisplay = !"false".equalsIgnoreCase(overrideElement.getAttribute("form-display")); // default to false param.overrideFormDisplay = true; } + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("allow-html"))) { + param.allowHtml = UtilXml.checkEmpty(overrideElement.getAttribute("allow-html")).intern(); + } + // default value - String defValue = attribute.getAttribute("default-value"); + String defValue = overrideElement.getAttribute("default-value"); if (UtilValidate.isNotEmpty(defValue)) { param.setDefaultValue(defValue); } // override validators - this.addValidators(attribute, param); + this.addValidators(overrideElement, param); if (directToParams) { service.addParam(param); |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |