You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by masionas <mi...@gmail.com> on 2009/04/22 17:59:42 UTC
Disable HTML Encoding Output
HI Guys,
How can I disable html encoding on output which was brought with new
security implementation? Is there a way to do it in request map or screen
definition? Thank you.
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by Jacques Le Roux <ja...@les7arts.com>.
Have a look at ServiceEventHandler.checkSecureParameter()
Jacques
From: "masionas" <mi...@gmail.com>
>
> HI Guys,
>
> How can I disable html encoding on output which was brought with new
> security implementation? Is there a way to do it in request map or screen
> definition? Thank you.
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Disable HTML Encoding Output
Posted by masionas <mi...@gmail.com>.
Having problem again with 772685 revision. Now it started to add the doc type
header while I do not need it, because I use html 4.01 strict for the
consumer site. Is it configurable and can be switched off? Let me know
please. Thanks.
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
"
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23451005.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by masionas <mi...@gmail.com>.
Ok. Got it working this way. First escapeJavaScript() like I did and then
execute on escaped wrapString().
Thanks.
masionas wrote:
>
> HI David,
>
> Actually I think I found where it is started to be encoded. To pass the
> strings back to javascript as ajax response I escape them by this method
>
> <#assign sliderDivEscaped=
> Static["org.apache.commons.lang.StringEscapeUtils"].escapeJavaScript(.vars["sliderDiv"])>
>
> And it looks like escapeJavaScript() method started to escape html chars
> as well now. Which was not the case before I merged with a new version
> (09.04)
>
>
> David E Jones-3 wrote:
>>
>>
>> There was an answer to this in another thread earlier today...
>> something about:
>>
>> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>>
>> -David
>>
>>
>> On Apr 23, 2009, at 1:26 AM, masionas wrote:
>>
>>>
>>> Hi David,
>>>
>>> Here is what I have:
>>>
>>> Ajax request which maps to a a screen definition of couple groovy
>>> files and
>>> ftl. Groovy file calls CategoryContentWorker methods to get content of
>>> category, then this content is put into ftl which is returned as a
>>> piece of
>>> html ready to be assinged to a DIV element on the page.
>>> Without security enhancement FTL returned raw(not auto-encoded) html
>>> as it
>>> was expected. But with the latest release it auto encodes the tags
>>> and other
>>> html chars. For example, <, >, \r,\n etc. And hence when I
>>> assign it
>>> to a DIV it is not a "real" html anymore, but encoded stuff.
>>>
>>>
>>>
>>> David E Jones-3 wrote:
>>>>
>>>>
>>>> Could you be more specific? Which file, or at least type of file, are
>>>> you looking at?
>>>>
>>>> What is the behavior you want, and what is actually happening?
>>>>
>>>> -David
>>>>
>>>>
>>>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>>>
>>>>>
>>>>> HI Guys,
>>>>>
>>>>> How can I disable html encoding on output which was brought with new
>>>>> security implementation? Is there a way to do it in request map or
>>>>> screen
>>>>> definition? Thank you.
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23197375.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by masionas <mi...@gmail.com>.
HI David,
Actually I think I found where it is started to be encoded. To pass the
strings back to javascript as ajax response I escape them by this method
<#assign sliderDivEscaped=
Static["org.apache.commons.lang.StringEscapeUtils"].escapeJavaScript(.vars["sliderDiv"])>
And it looks like escapeJavaScript() method started to escape html chars as
well now. Which was not the case before I merged with a new version (09.04)
David E Jones-3 wrote:
>
>
> There was an answer to this in another thread earlier today...
> something about:
>
> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>
> -David
>
>
> On Apr 23, 2009, at 1:26 AM, masionas wrote:
>
>>
>> Hi David,
>>
>> Here is what I have:
>>
>> Ajax request which maps to a a screen definition of couple groovy
>> files and
>> ftl. Groovy file calls CategoryContentWorker methods to get content of
>> category, then this content is put into ftl which is returned as a
>> piece of
>> html ready to be assinged to a DIV element on the page.
>> Without security enhancement FTL returned raw(not auto-encoded) html
>> as it
>> was expected. But with the latest release it auto encodes the tags
>> and other
>> html chars. For example, <, >, \r,\n etc. And hence when I
>> assign it
>> to a DIV it is not a "real" html anymore, but encoded stuff.
>>
>>
>>
>> David E Jones-3 wrote:
>>>
>>>
>>> Could you be more specific? Which file, or at least type of file, are
>>> you looking at?
>>>
>>> What is the behavior you want, and what is actually happening?
>>>
>>> -David
>>>
>>>
>>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>>
>>>>
>>>> HI Guys,
>>>>
>>>> How can I disable html encoding on output which was brought with new
>>>> security implementation? Is there a way to do it in request map or
>>>> screen
>>>> definition? Thank you.
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>
>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23196239.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by masionas <mi...@gmail.com>.
wrapString() works differently too now. The question is simple how can I NOT
have html escaped? Le tme know please. I need to use raw html in ajax
response without any escapes or doc typs attached. Thank you in advance.
David E Jones-3 wrote:
>
>
> There was an answer to this in another thread earlier today...
> something about:
>
> ${StringUtil.wrapString(productPromo.promoText?if_exists)}
>
> -David
>
>
> On Apr 23, 2009, at 1:26 AM, masionas wrote:
>
>>
>> Hi David,
>>
>> Here is what I have:
>>
>> Ajax request which maps to a a screen definition of couple groovy
>> files and
>> ftl. Groovy file calls CategoryContentWorker methods to get content of
>> category, then this content is put into ftl which is returned as a
>> piece of
>> html ready to be assinged to a DIV element on the page.
>> Without security enhancement FTL returned raw(not auto-encoded) html
>> as it
>> was expected. But with the latest release it auto encodes the tags
>> and other
>> html chars. For example, <, >, \r,\n etc. And hence when I
>> assign it
>> to a DIV it is not a "real" html anymore, but encoded stuff.
>>
>>
>>
>> David E Jones-3 wrote:
>>>
>>>
>>> Could you be more specific? Which file, or at least type of file, are
>>> you looking at?
>>>
>>> What is the behavior you want, and what is actually happening?
>>>
>>> -David
>>>
>>>
>>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>>
>>>>
>>>> HI Guys,
>>>>
>>>> How can I disable html encoding on output which was brought with new
>>>> security implementation? Is there a way to do it in request map or
>>>> screen
>>>> definition? Thank you.
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>
>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23451047.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by David E Jones <da...@hotwaxmedia.com>.
There was an answer to this in another thread earlier today...
something about:
${StringUtil.wrapString(productPromo.promoText?if_exists)}
-David
On Apr 23, 2009, at 1:26 AM, masionas wrote:
>
> Hi David,
>
> Here is what I have:
>
> Ajax request which maps to a a screen definition of couple groovy
> files and
> ftl. Groovy file calls CategoryContentWorker methods to get content of
> category, then this content is put into ftl which is returned as a
> piece of
> html ready to be assinged to a DIV element on the page.
> Without security enhancement FTL returned raw(not auto-encoded) html
> as it
> was expected. But with the latest release it auto encodes the tags
> and other
> html chars. For example, <, >, \r,\n etc. And hence when I
> assign it
> to a DIV it is not a "real" html anymore, but encoded stuff.
>
>
>
> David E Jones-3 wrote:
>>
>>
>> Could you be more specific? Which file, or at least type of file, are
>> you looking at?
>>
>> What is the behavior you want, and what is actually happening?
>>
>> -David
>>
>>
>> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>>
>>>
>>> HI Guys,
>>>
>>> How can I disable html encoding on output which was brought with new
>>> security implementation? Is there a way to do it in request map or
>>> screen
>>> definition? Thank you.
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Disable HTML Encoding Output
Posted by masionas <mi...@gmail.com>.
Hi David,
Here is what I have:
Ajax request which maps to a a screen definition of couple groovy files and
ftl. Groovy file calls CategoryContentWorker methods to get content of
category, then this content is put into ftl which is returned as a piece of
html ready to be assinged to a DIV element on the page.
Without security enhancement FTL returned raw(not auto-encoded) html as it
was expected. But with the latest release it auto encodes the tags and other
html chars. For example, <, >, \r,\n etc. And hence when I assign it
to a DIV it is not a "real" html anymore, but encoded stuff.
David E Jones-3 wrote:
>
>
> Could you be more specific? Which file, or at least type of file, are
> you looking at?
>
> What is the behavior you want, and what is actually happening?
>
> -David
>
>
> On Apr 22, 2009, at 9:59 AM, masionas wrote:
>
>>
>> HI Guys,
>>
>> How can I disable html encoding on output which was brought with new
>> security implementation? Is there a way to do it in request map or
>> screen
>> definition? Thank you.
>> --
>> View this message in context:
>> http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>
--
View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23191668.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Disable HTML Encoding Output
Posted by David E Jones <da...@hotwaxmedia.com>.
Could you be more specific? Which file, or at least type of file, are
you looking at?
What is the behavior you want, and what is actually happening?
-David
On Apr 22, 2009, at 9:59 AM, masionas wrote:
>
> HI Guys,
>
> How can I disable html encoding on output which was brought with new
> security implementation? Is there a way to do it in request map or
> screen
> definition? Thank you.
> --
> View this message in context: http://www.nabble.com/Disable-HTML-Encoding-Output-tp23175536p23175536.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>