You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacopo Cappellato (JIRA)" <ji...@apache.org> on 2015/02/12 15:19:11 UTC
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code
caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14318225#comment-14318225 ]
Jacopo Cappellato commented on OFBIZ-5953:
------------------------------------------
I have spent some time digging into the source code of HTMLEntityCodec (ESAPI) and specifically the method decodeCharacter is relevant here; see:
https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java
As you can see, and as described by the comment:
{quote}
* Returns the decoded version of the character starting at index, or
* null if no decoding is possible.
*
* Formats all are legal both with and without semi-colon, upper/lower case:
* &#dddd;
* &#xhhhh;
* &name;
{quote}
the codec recognizes the strings "&op" and "&op;" both as the html entity representation of the OR symbol.
I am not sure if this is right or wrong according to the specifications but it is definitely too strict for OFBiz because it causes problems like the one reported here.
My next step will be that of finding and studying the source file of the old version of ESAPI and see if the behavior changed since then; as I mentioned, removing the HTMLEntityCodec will fix this issue but I still have to figure out the implications of this change.
> Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
> ------------------------------------------------------------------
>
> Key: OFBIZ-5953
> URL: https://issues.apache.org/jira/browse/OFBIZ-5953
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Christian Carlow
>
> From Adrian on ML:
> When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it.
> Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from
> EditAcctgTrans?acctgTransId=10070&organizationPartyId=10010 to
> EditAcctgTrans?acctgTransId=10070&organizationPartyId=10010 to
> EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010.
> Not sure if the error is in class UtilCode or HTMLEntityCodec.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)