svn commit: r757318 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Author: jonesde
Date: Mon Mar 23 04:50:57 2009
New Revision: 757318

URL: http://svn.apache.org/viewvc?rev=757318&view=rev
Log:
Small change so that if a service attribute has allow-html=any then don't canonicalize the input, ie get it straight from the request; this fixes Jira #OFBIZ-2231 and should fix other related issues, and should not open any security holes (except from trusted users, as long as services are setup correctly)

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=757318&r1=757317&r2=757318&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Mon Mar 23 04:50:57 2009
@@ -276,8 +276,13 @@
                         // NOTTODO: we could allow URL parameters when it is not a POST (ie when !request.getMethod().equalsIgnoreCase("POST")), but that would open a security hole where sensitive parameters can be passed on the URL in a GET/etc and bypass this security constraint
                     }
 
-                    // use the rawParametersMap from UtilHttp in order to also get pathInfo parameters, do canonicalization, etc
-                    value = rawParametersMap.get(name);
+                    // if the service modelParam has allow-html="any" then get this direct from the request instead of in the parameters Map so there will be no canonicalization possibly messing things up
+                    if ("any".equals(modelParam.allowHtml)) {
+                        value = request.getParameter(name);
+                    } else {
+                        // use the rawParametersMap from UtilHttp in order to also get pathInfo parameters, do canonicalization, etc
+                        value = rawParametersMap.get(name);
+                    }
 
                     // make any composite parameter data (e.g., from a set of parameters {name_c_date, name_c_hour, name_c_minutes})
                     if (value == null) {