You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Adrian Crum <ad...@sandglass-software.com> on 2014/12/29 16:48:00 UTC
Re: svn commit: r1648298 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/content/
framework/base/src/org/ofbiz/base/util/ framework/base/src/org/ofbiz/base/util/test/
framework/common/src/org/ofbiz/common/ framework/webapp/src/org/ofbiz/webap...
+ public static class UrlEncoder implements SimpleEncoder,
SimpleDecoder {
Since the class encodes and decodes URLs, can we call it UrlCodec?
Adrian Crum
Sandglass Software
www.sandglass-software.com
On 12/29/2014 9:24 AM, jacopoc@apache.org wrote:
> Author: jacopoc
> Date: Mon Dec 29 09:24:46 2014
> New Revision: 1648298
>
> URL: http://svn.apache.org/r1648298
> Log:
> A series of cleanup to the integration with OWASP ESAPI. Isolated dependencies on the external OWASP ESAPI jar into the StringUtil class.
>
>
> Modified:
> ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java
> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
> ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java
> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java
> ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java
> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java
> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java
> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java
>
> Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java (original)
> +++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java Mon Dec 29 09:24:46 2014
> @@ -39,7 +39,6 @@ import org.ofbiz.entity.Delegator;
> import org.ofbiz.entity.GenericValue;
> import org.ofbiz.entity.util.EntityQuery;
> import org.ofbiz.webapp.control.ContextFilter;
> -import org.owasp.esapi.errors.EncodingException;
>
> public class ContentUrlFilter extends ContextFilter {
> public final static String module = ContentUrlFilter.class.getName();
> @@ -118,14 +117,10 @@ public class ContentUrlFilter extends Co
> .queryFirst();
> if (contentAssocDataResource != null) {
> url = contentAssocDataResource.getString("drObjectInfo");
> - try {
> - url = StringUtil.defaultWebEncoder.decodeFromURL(url);
> - String mountPoint = request.getContextPath();
> - if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) {
> - url = mountPoint + url;
> - }
> - } catch (EncodingException e) {
> - Debug.logError(e, module);
> + url = StringUtil.getDecoder("url").decode(url);
> + String mountPoint = request.getContextPath();
> + if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) {
> + url = mountPoint + url;
> }
> }
> } catch (Exception e) {
>
> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original)
> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Dec 29 09:24:46 2014
> @@ -36,14 +36,12 @@ import java.util.regex.Pattern;
> import org.apache.commons.codec.DecoderException;
> import org.apache.commons.codec.binary.Hex;
> import org.ofbiz.base.lang.Appender;
> -import org.owasp.esapi.ValidationErrorList;
> -import org.owasp.esapi.Validator;
> import org.owasp.esapi.codecs.Codec;
> import org.owasp.esapi.codecs.HTMLEntityCodec;
> import org.owasp.esapi.codecs.PercentCodec;
> +import org.owasp.esapi.errors.EncodingException;
> import org.owasp.esapi.errors.IntrusionException;
> import org.owasp.esapi.reference.DefaultEncoder;
> -import org.owasp.esapi.reference.DefaultValidator;
>
> /**
> * Misc String Utility Functions
> @@ -56,15 +54,11 @@ public class StringUtil {
> // FIXME: Not thread safe
> protected static final Map<String, Pattern> substitutionPatternMap;
>
> - /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
> - public static final boolean esapiCanonicalizeStrict = false;
> - public static final DefaultEncoder defaultWebEncoder;
> - public static final Validator defaultWebValidator;
> + private static final DefaultEncoder defaultWebEncoder;
> static {
> // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
> List<Codec> codecList = Arrays.asList(new HTMLEntityCodec(), new PercentCodec());
> defaultWebEncoder = new DefaultEncoder(codecList);
> - defaultWebValidator = new DefaultValidator();
> substitutionPatternMap = new HashMap<String, Pattern>();
> substitutionPatternMap.put("&&", Pattern.compile("@and", Pattern.LITERAL));
> substitutionPatternMap.put("||", Pattern.compile("@or", Pattern.LITERAL));
> @@ -74,9 +68,10 @@ public class StringUtil {
> substitutionPatternMap.put(">", Pattern.compile("@gt", Pattern.LITERAL));
> }
>
> - public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
> - public static final SimpleEncoder xmlEncoder = new XmlEncoder();
> - public static final SimpleEncoder stringEncoder = new StringEncoder();
> + private static final HtmlEncoder htmlEncoder = new HtmlEncoder();
> + private static final XmlEncoder xmlEncoder = new XmlEncoder();
> + private static final StringEncoder stringEncoder = new StringEncoder();
> + private static final UrlEncoder urlEncoder = new UrlEncoder();
>
> private StringUtil() {
> }
> @@ -85,6 +80,10 @@ public class StringUtil {
> public String encode(String original);
> }
>
> + public static interface SimpleDecoder {
> + public String decode(String original);
> + }
> +
> public static class HtmlEncoder implements SimpleEncoder {
> public String encode(String original) {
> return StringUtil.defaultWebEncoder.encodeForHTML(original);
> @@ -97,6 +96,26 @@ public class StringUtil {
> }
> }
>
> + public static class UrlEncoder implements SimpleEncoder, SimpleDecoder {
> + public String encode(String original) {
> + try {
> + return StringUtil.defaultWebEncoder.encodeForURL(original);
> + } catch (EncodingException ee) {
> + Debug.logError(ee, module);
> + return null;
> + }
> + }
> +
> + public String decode(String original) {
> + try {
> + return StringUtil.defaultWebEncoder.decodeFromURL(original);
> + } catch (EncodingException ee) {
> + Debug.logError(ee, module);
> + return null;
> + }
> + }
> + }
> +
> public static class StringEncoder implements SimpleEncoder {
> public String encode(String original) {
> if (original != null) {
> @@ -109,7 +128,9 @@ public class StringUtil {
> // ================== Begin General Functions ==================
>
> public static SimpleEncoder getEncoder(String type) {
> - if ("xml".equals(type)) {
> + if ("url".equals(type)) {
> + return StringUtil.urlEncoder;
> + } else if ("xml".equals(type)) {
> return StringUtil.xmlEncoder;
> } else if ("html".equals(type)) {
> return StringUtil.htmlEncoder;
> @@ -120,6 +141,14 @@ public class StringUtil {
> }
> }
>
> + public static SimpleDecoder getDecoder(String type) {
> + if ("url".equals(type)) {
> + return StringUtil.urlEncoder;
> + } else {
> + return null;
> + }
> + }
> +
> public static String internString(String value) {
> return value != null ? value.intern() : null;
> }
> @@ -594,6 +623,13 @@ public class StringUtil {
> return result;
> }
>
> + public static String canonicalize(String value) throws IntrusionException {
> + return defaultWebEncoder.canonicalize(value);
> + }
> +
> + public static String canonicalize(String value, boolean strict) throws IntrusionException {
> + return defaultWebEncoder.canonicalize(value, strict);
> + }
> /**
> * Uses a black-list approach for necessary characters for HTML.
> * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and "%" (if not followed by a space).
> @@ -606,7 +642,7 @@ public class StringUtil {
>
> // canonicalize, strict (error on double-encoding)
> try {
> - value = defaultWebEncoder.canonicalize(value, true);
> + value = canonicalize(value, true);
> } catch (IntrusionException e) {
> // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical
> Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module);
> @@ -651,21 +687,6 @@ public class StringUtil {
> return value;
> }
>
> - /**
> - * Uses a white-list approach to check for safe HTML.
> - * Based on the ESAPI validator configured in the antisamy-esapi.xml file.
> - *
> - * @param value
> - * @param errorMessageList
> - * @return String with updated value if needed for safer HTML.
> - */
> - public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) {
> - ValidationErrorList vel = new ValidationErrorList();
> - value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel);
> - errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), String.class));
> - return value;
> - }
> -
> /**
> * Remove/collapse multiple newline characters
> *
>
> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Mon Dec 29 09:24:46 2014
> @@ -53,8 +53,6 @@ import org.apache.oro.text.regex.Malform
> import org.apache.oro.text.regex.Pattern;
> import org.apache.oro.text.regex.PatternMatcher;
> import org.apache.oro.text.regex.Perl5Matcher;
> -import org.owasp.esapi.errors.EncodingException;
> -import org.owasp.esapi.errors.IntrusionException;
>
> import com.ibm.icu.util.Calendar;
>
> @@ -251,10 +249,11 @@ public class UtilHttp {
>
> public static String canonicalizeParameter(String paramValue) {
> try {
> - String cannedStr = StringUtil.defaultWebEncoder.canonicalize(paramValue, StringUtil.esapiCanonicalizeStrict);
> + /** calling canonicalize with strict flag set to false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
> + String cannedStr = StringUtil.canonicalize(paramValue, false);
> if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module);
> return cannedStr;
> - } catch (IntrusionException e) {
> + } catch (Exception e) {
> Debug.logError(e, "Error in canonicalize parameter value [" + paramValue + "]: " + e.toString(), module);
> return paramValue;
> }
> @@ -791,22 +790,14 @@ public class UtilHttp {
> buf.append("&");
> }
> }
> - try {
> - buf.append(StringUtil.defaultWebEncoder.encodeForURL(name));
> - } catch (EncodingException e) {
> - Debug.logError(e, module);
> - }
> + buf.append(StringUtil.getEncoder("url").encode(name));
> /* the old way: try {
> buf.append(URLEncoder.encode(name, "UTF-8"));
> } catch (UnsupportedEncodingException e) {
> Debug.logError(e, module);
> } */
> buf.append('=');
> - try {
> - buf.append(StringUtil.defaultWebEncoder.encodeForURL(valueStr));
> - } catch (EncodingException e) {
> - Debug.logError(e, module);
> - }
> + buf.append(StringUtil.getEncoder("url").encode(valueStr));
> /* the old way: try {
> buf.append(URLEncoder.encode(valueStr, "UTF-8"));
> } catch (UnsupportedEncodingException e) {
>
> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java (original)
> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java Mon Dec 29 09:24:46 2014
> @@ -303,9 +303,6 @@ public class StringUtilTests extends Gen
> checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript", "%2%353Cscript", "In field [double-encoding] found character escaping (mixed or double) that is not allowed or other format consistency error: org.owasp.esapi.errors.IntrusionException: Input validation failure");
> }
>
> - public void testCheckStringForHtmlSafeOnly() {
> - }
> -
> public void testCollapseNewlines() {
> }
>
>
> Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java (original)
> +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java Mon Dec 29 09:24:46 2014
> @@ -64,7 +64,6 @@ import org.ofbiz.service.ModelService;
> import org.ofbiz.service.ServiceSynchronization;
> import org.ofbiz.service.ServiceUtil;
> import org.ofbiz.service.mail.MimeMessageWrapper;
> -import org.owasp.esapi.errors.EncodingException;
>
> /**
> * Common Services
> @@ -539,17 +538,15 @@ public class CommonServices {
> }
>
> public static Map<String, Object> resetMetric(DispatchContext dctx, Map<String, ?> context) {
> - String name = (String) context.get("name");
> - try {
> - name = StringUtil.defaultWebEncoder.decodeFromURL(name);
> - } catch (EncodingException e) {
> - return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + name + "\"");
> + String originalName = (String) context.get("name");
> + String name = StringUtil.getDecoder("url").decode(originalName);
> + if (name == null) {
> + return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + originalName + "\"");
> }
> Metrics metric = MetricsFactory.getMetric(name);
> if (metric != null) {
> metric.reset();
> return ServiceUtil.returnSuccess();
> -
> }
> return ServiceUtil.returnError("Metric \"" + name + "\" not found.");
> }
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Dec 29 09:24:46 2014
> @@ -62,7 +62,6 @@ import org.ofbiz.webapp.view.ViewHandler
> import org.ofbiz.webapp.view.ViewHandlerException;
> import org.ofbiz.webapp.website.WebSiteProperties;
> import org.ofbiz.webapp.website.WebSiteWorker;
> -import org.owasp.esapi.errors.EncodingException;
> import org.python.modules.re;
>
> /**
> @@ -1116,13 +1115,11 @@ public class RequestHandler {
> if (queryString.length() > 1) {
> queryString.append("&");
> }
> -
> - try {
> - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(name));
> + String encodedName = StringUtil.getEncoder("url").encode(name);
> + if (encodedName != null) {
> + queryString.append(encodedName);
> queryString.append("=");
> - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(value));
> - } catch (EncodingException e) {
> - Debug.logError(e, module);
> + queryString.append(StringUtil.getEncoder("url").encode(value));
> }
> }
> }
>
> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java (original)
> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java Mon Dec 29 09:24:46 2014
> @@ -28,7 +28,6 @@ import org.ofbiz.base.util.Debug;
> import org.ofbiz.base.util.StringUtil;
> import org.ofbiz.base.util.UtilValidate;
> import org.ofbiz.webapp.taglib.ContentUrlTag;
> -import org.owasp.esapi.errors.EncodingException;
>
> import freemarker.core.Environment;
> import freemarker.ext.beans.BeanModel;
> @@ -93,11 +92,7 @@ public class OfbizContentTransform imple
> return;
> }
>
> - try {
> - requestUrl = StringUtil.defaultWebEncoder.decodeFromURL(requestUrl);
> - } catch (EncodingException e) {
> - Debug.logError(e, module);
> - }
> + requestUrl = StringUtil.getDecoder("url").decode(requestUrl);
>
> // make the link
> StringBuilder newURL = new StringBuilder();
>
> Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java (original)
> +++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java Mon Dec 29 09:24:46 2014
> @@ -40,7 +40,6 @@ import org.ofbiz.base.util.GeneralExcept
> import org.ofbiz.base.util.StringUtil;
> import org.ofbiz.base.util.UtilValidate;
> import org.ofbiz.base.util.UtilXml;
> -import org.owasp.esapi.errors.EncodingException;
> import org.w3c.dom.Comment;
> import org.w3c.dom.Document;
> import org.w3c.dom.Element;
> @@ -103,7 +102,7 @@ public class LabelManagerFactory {
> }
> }
>
> - public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, EncodingException, GeneralException {
> + public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, GeneralException {
> if (UtilValidate.isEmpty(component) && UtilValidate.isEmpty(fileName) && UtilValidate.isEmpty(key) && UtilValidate.isEmpty(locale)) {
> // Important! Don't allow unparameterized queries - doing so will result in loading the entire project into memory
> return;
> @@ -124,7 +123,7 @@ public class LabelManagerFactory {
> for (Node propertyNode : UtilXml.childNodeList(resourceElem.getFirstChild())) {
> if (propertyNode instanceof Element) {
> Element propertyElem = (Element) propertyNode;
> - String labelKey = StringUtil.defaultWebEncoder.canonicalize(propertyElem.getAttribute("key"));
> + String labelKey = StringUtil.canonicalize(propertyElem.getAttribute("key"));
> String labelComment = "";
> for (Node valueNode : UtilXml.childNodeList(propertyElem.getFirstChild())) {
> if (valueNode instanceof Element) {
> @@ -135,7 +134,7 @@ public class LabelManagerFactory {
> if( localeName.contains("_")) {
> localeName = localeName.replace('_', '-');
> }
> - String labelValue = StringUtil.defaultWebEncoder.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild()));
> + String labelValue = StringUtil.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild()));
> LabelInfo label = labels.get(labelKey + keySeparator + fileInfo.getFileName());
>
> if (UtilValidate.isEmpty(label)) {
> @@ -149,12 +148,12 @@ public class LabelManagerFactory {
> localesFound.add(localeName);
> labelComment = "";
> } else if (valueNode instanceof Comment) {
> - labelComment = labelComment + StringUtil.defaultWebEncoder.canonicalize(valueNode.getNodeValue());
> + labelComment = labelComment + StringUtil.canonicalize(valueNode.getNodeValue());
> }
> }
> labelKeyComment = "";
> } else if (propertyNode instanceof Comment) {
> - labelKeyComment = labelKeyComment + StringUtil.defaultWebEncoder.canonicalize(propertyNode.getNodeValue());
> + labelKeyComment = labelKeyComment + StringUtil.canonicalize(propertyNode.getNodeValue());
> }
> }
> }
>
> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java (original)
> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java Mon Dec 29 09:24:46 2014
> @@ -71,7 +71,7 @@ public class WidgetWorker {
> // We may get an encoded request like: /projectmgr/control/EditTaskContents?workEffortId=10003
> // Try to reducing a possibly encoded string down to its simplest form: /projectmgr/control/EditTaskContents?workEffortId=10003
> // This step make sure the following appending externalLoginKey operation to work correctly
> - localRequestName = StringUtil.defaultWebEncoder.canonicalize(localRequestName);
> + localRequestName = StringUtil.canonicalize(localRequestName);
> Appendable localWriter = new StringWriter();
>
> if ("intra-app".equals(targetType)) {
> @@ -300,7 +300,7 @@ public class WidgetWorker {
> writer.append("<input name=\"");
> writer.append(parameter.getKey());
> writer.append("\" value=\"");
> - writer.append(StringUtil.htmlEncoder.encode(parameter.getValue()));
> + writer.append(StringUtil.getEncoder("html").encode(parameter.getValue()));
> writer.append("\" type=\"hidden\"/>");
> }
> }
>
> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java (original)
> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java Mon Dec 29 09:24:46 2014
> @@ -3088,7 +3088,7 @@ public final class MacroFormRenderer imp
> parameters.append(parameter.getName());
> parameters.append("'");
> parameters.append(",'value':'");
> - parameters.append(StringUtil.htmlEncoder.encode(parameter.getValue(context)));
> + parameters.append(StringUtil.getEncoder("html").encode(parameter.getValue(context)));
> parameters.append("'}");
> }
> parameters.append("]");
>
> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java?rev=1648298&r1=1648297&r2=1648298&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java (original)
> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java Mon Dec 29 09:24:46 2014
> @@ -88,7 +88,7 @@ public class HtmlWidget extends ModelScr
> }
> @Override
> public String getAsString() {
> - return StringUtil.htmlEncoder.encode(super.getAsString());
> + return StringUtil.getEncoder("html").encode(super.getAsString());
> }
> }
>
> @@ -100,7 +100,7 @@ public class HtmlWidget extends ModelScr
>
> @Override
> public String getAsString() {
> - return StringUtil.htmlEncoder.encode(super.getAsString());
> + return StringUtil.getEncoder("html").encode(super.getAsString());
> }
>
> }
>
>
Re: svn commit: r1648298 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/content/ framework/base/src/org/ofbiz/base/util/ framework/base/src/org/ofbiz/base/util/test/ framework/common/src/org/ofbiz/common/ framework/webapp/src/org/ofbiz/webap...
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
You are mind reading on me... I am in the process of doing some more refactoring, including this.
I will commit later today or (more probably) tomorrow.
Jacopo
On Dec 29, 2014, at 4:48 PM, Adrian Crum <ad...@sandglass-software.com> wrote:
> + public static class UrlEncoder implements SimpleEncoder, SimpleDecoder {
>
> Since the class encodes and decodes URLs, can we call it UrlCodec?
>
> Adrian Crum
> Sandglass Software
> www.sandglass-software.com
>
> On 12/29/2014 9:24 AM, jacopoc@apache.org wrote:
>> Author: jacopoc
>> Date: Mon Dec 29 09:24:46 2014
>> New Revision: 1648298
>>
>> URL: http://svn.apache.org/r1648298
>> Log:
>> A series of cleanup to the integration with OWASP ESAPI. Isolated dependencies on the external OWASP ESAPI jar into the StringUtil class.
>>
>>
>> Modified:
>> ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java
>> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
>> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
>> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
>> ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>> ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java
>> ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java
>> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java
>> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java
>> ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java
>>
>> Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java (original)
>> +++ ofbiz/trunk/applications/content/src/org/ofbiz/content/content/ContentUrlFilter.java Mon Dec 29 09:24:46 2014
>> @@ -39,7 +39,6 @@ import org.ofbiz.entity.Delegator;
>> import org.ofbiz.entity.GenericValue;
>> import org.ofbiz.entity.util.EntityQuery;
>> import org.ofbiz.webapp.control.ContextFilter;
>> -import org.owasp.esapi.errors.EncodingException;
>>
>> public class ContentUrlFilter extends ContextFilter {
>> public final static String module = ContentUrlFilter.class.getName();
>> @@ -118,14 +117,10 @@ public class ContentUrlFilter extends Co
>> .queryFirst();
>> if (contentAssocDataResource != null) {
>> url = contentAssocDataResource.getString("drObjectInfo");
>> - try {
>> - url = StringUtil.defaultWebEncoder.decodeFromURL(url);
>> - String mountPoint = request.getContextPath();
>> - if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) {
>> - url = mountPoint + url;
>> - }
>> - } catch (EncodingException e) {
>> - Debug.logError(e, module);
>> + url = StringUtil.getDecoder("url").decode(url);
>> + String mountPoint = request.getContextPath();
>> + if (!(mountPoint.equals("/")) && !(mountPoint.equals(""))) {
>> + url = mountPoint + url;
>> }
>> }
>> } catch (Exception e) {
>>
>> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original)
>> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Dec 29 09:24:46 2014
>> @@ -36,14 +36,12 @@ import java.util.regex.Pattern;
>> import org.apache.commons.codec.DecoderException;
>> import org.apache.commons.codec.binary.Hex;
>> import org.ofbiz.base.lang.Appender;
>> -import org.owasp.esapi.ValidationErrorList;
>> -import org.owasp.esapi.Validator;
>> import org.owasp.esapi.codecs.Codec;
>> import org.owasp.esapi.codecs.HTMLEntityCodec;
>> import org.owasp.esapi.codecs.PercentCodec;
>> +import org.owasp.esapi.errors.EncodingException;
>> import org.owasp.esapi.errors.IntrusionException;
>> import org.owasp.esapi.reference.DefaultEncoder;
>> -import org.owasp.esapi.reference.DefaultValidator;
>>
>> /**
>> * Misc String Utility Functions
>> @@ -56,15 +54,11 @@ public class StringUtil {
>> // FIXME: Not thread safe
>> protected static final Map<String, Pattern> substitutionPatternMap;
>>
>> - /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
>> - public static final boolean esapiCanonicalizeStrict = false;
>> - public static final DefaultEncoder defaultWebEncoder;
>> - public static final Validator defaultWebValidator;
>> + private static final DefaultEncoder defaultWebEncoder;
>> static {
>> // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec, VBScriptCodec, WindowsCodec
>> List<Codec> codecList = Arrays.asList(new HTMLEntityCodec(), new PercentCodec());
>> defaultWebEncoder = new DefaultEncoder(codecList);
>> - defaultWebValidator = new DefaultValidator();
>> substitutionPatternMap = new HashMap<String, Pattern>();
>> substitutionPatternMap.put("&&", Pattern.compile("@and", Pattern.LITERAL));
>> substitutionPatternMap.put("||", Pattern.compile("@or", Pattern.LITERAL));
>> @@ -74,9 +68,10 @@ public class StringUtil {
>> substitutionPatternMap.put(">", Pattern.compile("@gt", Pattern.LITERAL));
>> }
>>
>> - public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
>> - public static final SimpleEncoder xmlEncoder = new XmlEncoder();
>> - public static final SimpleEncoder stringEncoder = new StringEncoder();
>> + private static final HtmlEncoder htmlEncoder = new HtmlEncoder();
>> + private static final XmlEncoder xmlEncoder = new XmlEncoder();
>> + private static final StringEncoder stringEncoder = new StringEncoder();
>> + private static final UrlEncoder urlEncoder = new UrlEncoder();
>>
>> private StringUtil() {
>> }
>> @@ -85,6 +80,10 @@ public class StringUtil {
>> public String encode(String original);
>> }
>>
>> + public static interface SimpleDecoder {
>> + public String decode(String original);
>> + }
>> +
>> public static class HtmlEncoder implements SimpleEncoder {
>> public String encode(String original) {
>> return StringUtil.defaultWebEncoder.encodeForHTML(original);
>> @@ -97,6 +96,26 @@ public class StringUtil {
>> }
>> }
>>
>> + public static class UrlEncoder implements SimpleEncoder, SimpleDecoder {
>> + public String encode(String original) {
>> + try {
>> + return StringUtil.defaultWebEncoder.encodeForURL(original);
>> + } catch (EncodingException ee) {
>> + Debug.logError(ee, module);
>> + return null;
>> + }
>> + }
>> +
>> + public String decode(String original) {
>> + try {
>> + return StringUtil.defaultWebEncoder.decodeFromURL(original);
>> + } catch (EncodingException ee) {
>> + Debug.logError(ee, module);
>> + return null;
>> + }
>> + }
>> + }
>> +
>> public static class StringEncoder implements SimpleEncoder {
>> public String encode(String original) {
>> if (original != null) {
>> @@ -109,7 +128,9 @@ public class StringUtil {
>> // ================== Begin General Functions ==================
>>
>> public static SimpleEncoder getEncoder(String type) {
>> - if ("xml".equals(type)) {
>> + if ("url".equals(type)) {
>> + return StringUtil.urlEncoder;
>> + } else if ("xml".equals(type)) {
>> return StringUtil.xmlEncoder;
>> } else if ("html".equals(type)) {
>> return StringUtil.htmlEncoder;
>> @@ -120,6 +141,14 @@ public class StringUtil {
>> }
>> }
>>
>> + public static SimpleDecoder getDecoder(String type) {
>> + if ("url".equals(type)) {
>> + return StringUtil.urlEncoder;
>> + } else {
>> + return null;
>> + }
>> + }
>> +
>> public static String internString(String value) {
>> return value != null ? value.intern() : null;
>> }
>> @@ -594,6 +623,13 @@ public class StringUtil {
>> return result;
>> }
>>
>> + public static String canonicalize(String value) throws IntrusionException {
>> + return defaultWebEncoder.canonicalize(value);
>> + }
>> +
>> + public static String canonicalize(String value, boolean strict) throws IntrusionException {
>> + return defaultWebEncoder.canonicalize(value, strict);
>> + }
>> /**
>> * Uses a black-list approach for necessary characters for HTML.
>> * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and "%" (if not followed by a space).
>> @@ -606,7 +642,7 @@ public class StringUtil {
>>
>> // canonicalize, strict (error on double-encoding)
>> try {
>> - value = defaultWebEncoder.canonicalize(value, true);
>> + value = canonicalize(value, true);
>> } catch (IntrusionException e) {
>> // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical
>> Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module);
>> @@ -651,21 +687,6 @@ public class StringUtil {
>> return value;
>> }
>>
>> - /**
>> - * Uses a white-list approach to check for safe HTML.
>> - * Based on the ESAPI validator configured in the antisamy-esapi.xml file.
>> - *
>> - * @param value
>> - * @param errorMessageList
>> - * @return String with updated value if needed for safer HTML.
>> - */
>> - public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) {
>> - ValidationErrorList vel = new ValidationErrorList();
>> - value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel);
>> - errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), String.class));
>> - return value;
>> - }
>> -
>> /**
>> * Remove/collapse multiple newline characters
>> *
>>
>> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java (original)
>> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/UtilHttp.java Mon Dec 29 09:24:46 2014
>> @@ -53,8 +53,6 @@ import org.apache.oro.text.regex.Malform
>> import org.apache.oro.text.regex.Pattern;
>> import org.apache.oro.text.regex.PatternMatcher;
>> import org.apache.oro.text.regex.Perl5Matcher;
>> -import org.owasp.esapi.errors.EncodingException;
>> -import org.owasp.esapi.errors.IntrusionException;
>>
>> import com.ibm.icu.util.Calendar;
>>
>> @@ -251,10 +249,11 @@ public class UtilHttp {
>>
>> public static String canonicalizeParameter(String paramValue) {
>> try {
>> - String cannedStr = StringUtil.defaultWebEncoder.canonicalize(paramValue, StringUtil.esapiCanonicalizeStrict);
>> + /** calling canonicalize with strict flag set to false so we only get warnings about double encoding, etc; can be set to true for exceptions and more security */
>> + String cannedStr = StringUtil.canonicalize(paramValue, false);
>> if (Debug.verboseOn()) Debug.logVerbose("Canonicalized parameter with " + (cannedStr.equals(paramValue) ? "no " : "") + "change: original [" + paramValue + "] canned [" + cannedStr + "]", module);
>> return cannedStr;
>> - } catch (IntrusionException e) {
>> + } catch (Exception e) {
>> Debug.logError(e, "Error in canonicalize parameter value [" + paramValue + "]: " + e.toString(), module);
>> return paramValue;
>> }
>> @@ -791,22 +790,14 @@ public class UtilHttp {
>> buf.append("&");
>> }
>> }
>> - try {
>> - buf.append(StringUtil.defaultWebEncoder.encodeForURL(name));
>> - } catch (EncodingException e) {
>> - Debug.logError(e, module);
>> - }
>> + buf.append(StringUtil.getEncoder("url").encode(name));
>> /* the old way: try {
>> buf.append(URLEncoder.encode(name, "UTF-8"));
>> } catch (UnsupportedEncodingException e) {
>> Debug.logError(e, module);
>> } */
>> buf.append('=');
>> - try {
>> - buf.append(StringUtil.defaultWebEncoder.encodeForURL(valueStr));
>> - } catch (EncodingException e) {
>> - Debug.logError(e, module);
>> - }
>> + buf.append(StringUtil.getEncoder("url").encode(valueStr));
>> /* the old way: try {
>> buf.append(URLEncoder.encode(valueStr, "UTF-8"));
>> } catch (UnsupportedEncodingException e) {
>>
>> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java (original)
>> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/test/StringUtilTests.java Mon Dec 29 09:24:46 2014
>> @@ -303,9 +303,6 @@ public class StringUtilTests extends Gen
>> checkStringForHtmlStrictNone_test("double-encoding", "%2%353Cscript", "%2%353Cscript", "In field [double-encoding] found character escaping (mixed or double) that is not allowed or other format consistency error: org.owasp.esapi.errors.IntrusionException: Input validation failure");
>> }
>>
>> - public void testCheckStringForHtmlSafeOnly() {
>> - }
>> -
>> public void testCollapseNewlines() {
>> }
>>
>>
>> Modified: ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java (original)
>> +++ ofbiz/trunk/framework/common/src/org/ofbiz/common/CommonServices.java Mon Dec 29 09:24:46 2014
>> @@ -64,7 +64,6 @@ import org.ofbiz.service.ModelService;
>> import org.ofbiz.service.ServiceSynchronization;
>> import org.ofbiz.service.ServiceUtil;
>> import org.ofbiz.service.mail.MimeMessageWrapper;
>> -import org.owasp.esapi.errors.EncodingException;
>>
>> /**
>> * Common Services
>> @@ -539,17 +538,15 @@ public class CommonServices {
>> }
>>
>> public static Map<String, Object> resetMetric(DispatchContext dctx, Map<String, ?> context) {
>> - String name = (String) context.get("name");
>> - try {
>> - name = StringUtil.defaultWebEncoder.decodeFromURL(name);
>> - } catch (EncodingException e) {
>> - return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + name + "\"");
>> + String originalName = (String) context.get("name");
>> + String name = StringUtil.getDecoder("url").decode(originalName);
>> + if (name == null) {
>> + return ServiceUtil.returnError("Exception thrown while decoding metric name \"" + originalName + "\"");
>> }
>> Metrics metric = MetricsFactory.getMetric(name);
>> if (metric != null) {
>> metric.reset();
>> return ServiceUtil.returnSuccess();
>> -
>> }
>> return ServiceUtil.returnError("Metric \"" + name + "\" not found.");
>> }
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Dec 29 09:24:46 2014
>> @@ -62,7 +62,6 @@ import org.ofbiz.webapp.view.ViewHandler
>> import org.ofbiz.webapp.view.ViewHandlerException;
>> import org.ofbiz.webapp.website.WebSiteProperties;
>> import org.ofbiz.webapp.website.WebSiteWorker;
>> -import org.owasp.esapi.errors.EncodingException;
>> import org.python.modules.re;
>>
>> /**
>> @@ -1116,13 +1115,11 @@ public class RequestHandler {
>> if (queryString.length() > 1) {
>> queryString.append("&");
>> }
>> -
>> - try {
>> - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(name));
>> + String encodedName = StringUtil.getEncoder("url").encode(name);
>> + if (encodedName != null) {
>> + queryString.append(encodedName);
>> queryString.append("=");
>> - queryString.append(StringUtil.defaultWebEncoder.encodeForURL(value));
>> - } catch (EncodingException e) {
>> - Debug.logError(e, module);
>> + queryString.append(StringUtil.getEncoder("url").encode(value));
>> }
>> }
>> }
>>
>> Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java (original)
>> +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/ftl/OfbizContentTransform.java Mon Dec 29 09:24:46 2014
>> @@ -28,7 +28,6 @@ import org.ofbiz.base.util.Debug;
>> import org.ofbiz.base.util.StringUtil;
>> import org.ofbiz.base.util.UtilValidate;
>> import org.ofbiz.webapp.taglib.ContentUrlTag;
>> -import org.owasp.esapi.errors.EncodingException;
>>
>> import freemarker.core.Environment;
>> import freemarker.ext.beans.BeanModel;
>> @@ -93,11 +92,7 @@ public class OfbizContentTransform imple
>> return;
>> }
>>
>> - try {
>> - requestUrl = StringUtil.defaultWebEncoder.decodeFromURL(requestUrl);
>> - } catch (EncodingException e) {
>> - Debug.logError(e, module);
>> - }
>> + requestUrl = StringUtil.getDecoder("url").decode(requestUrl);
>>
>> // make the link
>> StringBuilder newURL = new StringBuilder();
>>
>> Modified: ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java (original)
>> +++ ofbiz/trunk/framework/webtools/src/org/ofbiz/webtools/labelmanager/LabelManagerFactory.java Mon Dec 29 09:24:46 2014
>> @@ -40,7 +40,6 @@ import org.ofbiz.base.util.GeneralExcept
>> import org.ofbiz.base.util.StringUtil;
>> import org.ofbiz.base.util.UtilValidate;
>> import org.ofbiz.base.util.UtilXml;
>> -import org.owasp.esapi.errors.EncodingException;
>> import org.w3c.dom.Comment;
>> import org.w3c.dom.Document;
>> import org.w3c.dom.Element;
>> @@ -103,7 +102,7 @@ public class LabelManagerFactory {
>> }
>> }
>>
>> - public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, EncodingException, GeneralException {
>> + public void findMatchingLabels(String component, String fileName, String key, String locale) throws MalformedURLException, SAXException, ParserConfigurationException, IOException, GeneralException {
>> if (UtilValidate.isEmpty(component) && UtilValidate.isEmpty(fileName) && UtilValidate.isEmpty(key) && UtilValidate.isEmpty(locale)) {
>> // Important! Don't allow unparameterized queries - doing so will result in loading the entire project into memory
>> return;
>> @@ -124,7 +123,7 @@ public class LabelManagerFactory {
>> for (Node propertyNode : UtilXml.childNodeList(resourceElem.getFirstChild())) {
>> if (propertyNode instanceof Element) {
>> Element propertyElem = (Element) propertyNode;
>> - String labelKey = StringUtil.defaultWebEncoder.canonicalize(propertyElem.getAttribute("key"));
>> + String labelKey = StringUtil.canonicalize(propertyElem.getAttribute("key"));
>> String labelComment = "";
>> for (Node valueNode : UtilXml.childNodeList(propertyElem.getFirstChild())) {
>> if (valueNode instanceof Element) {
>> @@ -135,7 +134,7 @@ public class LabelManagerFactory {
>> if( localeName.contains("_")) {
>> localeName = localeName.replace('_', '-');
>> }
>> - String labelValue = StringUtil.defaultWebEncoder.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild()));
>> + String labelValue = StringUtil.canonicalize(UtilXml.nodeValue(valueElem.getFirstChild()));
>> LabelInfo label = labels.get(labelKey + keySeparator + fileInfo.getFileName());
>>
>> if (UtilValidate.isEmpty(label)) {
>> @@ -149,12 +148,12 @@ public class LabelManagerFactory {
>> localesFound.add(localeName);
>> labelComment = "";
>> } else if (valueNode instanceof Comment) {
>> - labelComment = labelComment + StringUtil.defaultWebEncoder.canonicalize(valueNode.getNodeValue());
>> + labelComment = labelComment + StringUtil.canonicalize(valueNode.getNodeValue());
>> }
>> }
>> labelKeyComment = "";
>> } else if (propertyNode instanceof Comment) {
>> - labelKeyComment = labelKeyComment + StringUtil.defaultWebEncoder.canonicalize(propertyNode.getNodeValue());
>> + labelKeyComment = labelKeyComment + StringUtil.canonicalize(propertyNode.getNodeValue());
>> }
>> }
>> }
>>
>> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java (original)
>> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/WidgetWorker.java Mon Dec 29 09:24:46 2014
>> @@ -71,7 +71,7 @@ public class WidgetWorker {
>> // We may get an encoded request like: /projectmgr/control/EditTaskContents?workEffortId=10003
>> // Try to reducing a possibly encoded string down to its simplest form: /projectmgr/control/EditTaskContents?workEffortId=10003
>> // This step make sure the following appending externalLoginKey operation to work correctly
>> - localRequestName = StringUtil.defaultWebEncoder.canonicalize(localRequestName);
>> + localRequestName = StringUtil.canonicalize(localRequestName);
>> Appendable localWriter = new StringWriter();
>>
>> if ("intra-app".equals(targetType)) {
>> @@ -300,7 +300,7 @@ public class WidgetWorker {
>> writer.append("<input name=\"");
>> writer.append(parameter.getKey());
>> writer.append("\" value=\"");
>> - writer.append(StringUtil.htmlEncoder.encode(parameter.getValue()));
>> + writer.append(StringUtil.getEncoder("html").encode(parameter.getValue()));
>> writer.append("\" type=\"hidden\"/>");
>> }
>> }
>>
>> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java (original)
>> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/form/MacroFormRenderer.java Mon Dec 29 09:24:46 2014
>> @@ -3088,7 +3088,7 @@ public final class MacroFormRenderer imp
>> parameters.append(parameter.getName());
>> parameters.append("'");
>> parameters.append(",'value':'");
>> - parameters.append(StringUtil.htmlEncoder.encode(parameter.getValue(context)));
>> + parameters.append(StringUtil.getEncoder("html").encode(parameter.getValue(context)));
>> parameters.append("'}");
>> }
>> parameters.append("]");
>>
>> Modified: ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java?rev=1648298&r1=1648297&r2=1648298&view=diff
>> ==============================================================================
>> --- ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java (original)
>> +++ ofbiz/trunk/framework/widget/src/org/ofbiz/widget/screen/HtmlWidget.java Mon Dec 29 09:24:46 2014
>> @@ -88,7 +88,7 @@ public class HtmlWidget extends ModelScr
>> }
>> @Override
>> public String getAsString() {
>> - return StringUtil.htmlEncoder.encode(super.getAsString());
>> + return StringUtil.getEncoder("html").encode(super.getAsString());
>> }
>> }
>>
>> @@ -100,7 +100,7 @@ public class HtmlWidget extends ModelScr
>>
>> @Override
>> public String getAsString() {
>> - return StringUtil.htmlEncoder.encode(super.getAsString());
>> + return StringUtil.getEncoder("html").encode(super.getAsString());
>> }
>>
>> }
>>
>>