You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/02/10 11:36:19 UTC
Re: svn commit: r742352 - in /ofbiz/trunk/framework: base/config/ base/lib/ base/src/org/ofbiz/base/util/ service/dtd/ service/src/org/ofbiz/service/
Hi David,
I don't know if it's intentionnal or not : before error messages could contains HTML tags (<ul> <li> was used for instance for
"layout").
So in https://issues.apache.org/jira/browse/OFBIZ-2171?focusedCommentId=12671952#action_12671952 I did not used the old behaviour
with these HTML tags (which I think have not been well migrated from DefaultMessages.properties).
This because we agreed to not use anymore HTML tags in labels, and especially because it was not working anymore.
I wonder know if we should not keep this mechanims specifically for error messages. Because in case there are several error messages
they would be better displayed using the old mechanism
What do yout think ?
Jacques
From: <jo...@apache.org>
> Author: jonesde
> Date: Mon Feb 9 09:34:34 2009
> New Revision: 742352
>
> URL: http://svn.apache.org/viewvc?rev=742352&view=rev
> Log:
> Added new allow-html tag on the attribute, auto-attribute, and override elements; has 3 options: none, safe, and any; the comments
> in the XSD file describe what each of these do; the important thing to know is that none is the default meaning no html is
> allowed; if html is needed use safe and look at the antisamy-esapi.xml file to see policy details; in extreme trust cases use any
> where any html is allowed; note that many services need updating which should allow at least safe html, and it may take some time
> to discover all of those and get them handled; please send in issues and requests for service attributes that should allow safe
> html
>
> Added:
> ofbiz/trunk/framework/base/config/antisamy-esapi.xml (with props)
> ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar (with props)
> ofbiz/trunk/framework/base/lib/nekohtml.jar (with props)
> Modified:
> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
> ofbiz/trunk/framework/service/dtd/services.xsd
> ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java
> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java
> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
>
> Added: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/antisamy-esapi.xml?rev=742352&view=auto
> ==============================================================================
> --- ofbiz/trunk/framework/base/config/antisamy-esapi.xml (added)
> +++ ofbiz/trunk/framework/base/config/antisamy-esapi.xml Mon Feb 9 09:34:34 2009
> @@ -0,0 +1,479 @@
> +<?xml version="1.0" encoding="ISO-8859-1"?>
> +<!--
> +Based on the default ESAPI.properties file, which is BSD licensed.
> +
> +Licensed to the Apache Software Foundation (ASF) under one
> +or more contributor license agreements. See the NOTICE file
> +distributed with this work for additional information
> +regarding copyright ownership. The ASF licenses this file
> +to you under the Apache License, Version 2.0 (the
> +"License"); you may not use this file except in compliance
> +with the License. You may obtain a copy of the License at
> +
> +http://www.apache.org/licenses/LICENSE-2.0
> +
> +Unless required by applicable law or agreed to in writing,
> +software distributed under the License is distributed on an
> +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> +KIND, either express or implied. See the License for the
> +specific language governing permissions and limitations
> +under the License.
> +-->
> +
> +<!--
> +W3C rules retrieved from:
> +http://www.w3.org/TR/html401/struct/global.html
> +-->
> +
> +<!--
> +Slashdot allowed tags taken from "Reply" page:
> +<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
> +-->
> +
> +<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="antisamy.xsd">
> + <directives>
> + <directive name="omitXmlDeclaration" value="true"/>
> + <directive name="omitDoctypeDeclaration" value="true"/>
> + <directive name="maxInputSize" value="5000"/>
> + <directive name="embedStyleSheets" value="false"/>
> + </directives>
> + <common-regexps>
> + <!--
> + From W3C:
> + This attribute assigns a class name or set of class names to an
> + element. Any number of elements may be assigned the same class
> + name or names. Multiple class names must be separated by white
> + space characters.
> + -->
> +
> + <regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead
> of '*' -->
> + <regexp name="onsiteURL" value="([\w\\/\.\?=&;\#-~]+|\#(\w)+)"/>
> + <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
> + </common-regexps>
> +
> + <!--
> +
> + Tag.name = a, b, div, body, etc.
> + Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and
> contents
> + Attribute.name = id, class, href, align, width, etc.
> + Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute
> (removeAttribute), filter the tag (filterTag)
> + Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful
> things so they'll be able to tune their HTML
> +
> + -->
> +
> + <!--
> + Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's
> no
> + collisions between any of these attribute names with attribute names of other tags that are for different purposes.
> + -->
> + <common-attributes>
> + <attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values
> and content are written in">
> + <regexp-list>
> + <regexp value="[a-zA-Z]{2,20}"/>
> + </regexp-list>
> + </attribute>
> + <attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers
> their mouse over the element">
> + <regexp-list>
> + <regexp name="htmlTitle"/>
> + </regexp-list>
> + </attribute>
> + <attribute name="href" onInvalid="filterTag">
> + <regexp-list>
> + <regexp name="onsiteURL"/>
> + <regexp name="offsiteURL"/>
> + </regexp-list>
> + </attribute>
> + <attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right'
> or 'center'">
> + <literal-list>
> + <literal value="center"/>
> + <literal value="left"/>
> + <literal value="right"/>
> + <literal value="justify"/>
> + <literal value="char"/>
> + </literal-list>
> + </attribute>
> + </common-attributes>
> +
> + <!--
> + This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars
> continue
> + this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
> + a while?
> + -->
> + <global-tag-attributes>
> + <attribute name="title"/>
> + <attribute name="lang"/>
> + </global-tag-attributes>
> + <tag-rules>
> + <!-- Tags related to JavaScript -->
> + <tag name="script" action="remove"/>
> + <tag name="noscript" action="remove"/>
> +
> + <!-- Frame & related tags -->
> + <tag name="iframe" action="remove"/>
> + <tag name="frameset" action="remove"/>
> + <tag name="frame" action="remove"/>
> + <tag name="noframes" action="remove"/>
> +
> + <!-- All reasonable formatting tags -->
> + <tag name="p" action="validate">
> + <attribute name="align"/>
> + </tag>
> +
> + <tag name="div" action="validate"/>
> + <tag name="i" action="validate"/>
> + <tag name="b" action="validate"/>
> + <tag name="em" action="validate"/>
> + <tag name="blockquote" action="validate"/>
> + <tag name="tt" action="validate"/>
> +
> + <tag name="br" action="truncate"/>
> +
> + <!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag=""
> attribute -->
> + <tag name="quote" action="validate"/>
> + <tag name="ecode" action="validate"/>
> +
> + <!-- Anchor and anchor related tags -->
> + <tag name="a" action="validate">
> + <attribute name="href" onInvalid="filterTag"/>
> + <attribute name="nohref">
> + <literal-list>
> + <literal value="nohref"/>
> + <literal value=""/>
> + </literal-list>
> + </attribute>
> + <attribute name="rel">
> + <literal-list>
> + <literal value="nofollow"/>
> + </literal-list>
> + </attribute>
> + </tag>
> +
> + <!-- List tags -->
> + <tag name="ul" action="validate"/>
> + <tag name="ol" action="validate"/>
> + <tag name="li" action="validate"/>
> + </tag-rules>
> +
> + <!-- No CSS on Slashdot posts -->
> + <css-rules>
> + </css-rules>
> +
> + <html-entities>
> + <entity name="amp" cdata="&"/>
> + <entity name="nbsp" cdata="&#160;"/>
> +
> + <entity name="iexcl" cdata="&#161;"/> <!--inverted exclamation mark, U+00A1 ISOnum -->
> + <entity name="cent" cdata="&#162;"/> <!--cent sign, U+00A2 ISOnum -->
> + <entity name="pound" cdata="&#163;"/> <!--pound sign, U+00A3 ISOnum -->
> + <entity name="curren" cdata="&#164;"/> <!--currency sign, U+00A4 ISOnum -->
> + <entity name="yen" cdata="&#165;"/> <!--yen sign = yuan sign, U+00A5 ISOnum -->
> + <entity name="brvbar" cdata="&#166;"/> <!--broken bar = broken vertical bar, U+00A6 ISOnum -->
> + <entity name="sect" cdata="&#167;"/> <!--section sign, U+00A7 ISOnum -->
> + <entity name="uml" cdata="&#168;"/> <!--diaeresis = spacing diaeresis, U+00A8 ISOdia -->
> + <entity name="copy" cdata="&#169;"/> <!--copyright sign, U+00A9 ISOnum -->
> + <entity name="ordf" cdata="&#170;"/> <!--feminine ordinal indicator, U+00AA ISOnum -->
> + <entity name="laquo" cdata="&#171;"/> <!--left-pointing double angle quotation mark = left pointing guillemet, U+00AB
> ISOnum -->
> + <entity name="not" cdata="&#172;"/> <!--not sign, U+00AC ISOnum -->
> + <entity name="shy" cdata="&#173;"/> <!--soft hyphen = discretionary hyphen,U+00AD ISOnum -->
> + <entity name="reg" cdata="&#174;"/> <!--registered sign = registered trade mark sign, U+00AE ISOnum -->
> + <entity name="macr" cdata="&#175;"/> <!--macron = spacing macron = overline = APL overbar, U+00AF ISOdia -->
> + <entity name="deg" cdata="&#176;"/> <!--degree sign, U+00B0 ISOnum -->
> + <entity name="plusmn" cdata="&#177;"/> <!--plus-minus sign = plus-or-minus sign, U+00B1 ISOnum -->
> + <entity name="sup2" cdata="&#178;"/> <!--superscript two = superscript digit two = squared, U+00B2 ISOnum -->
> + <entity name="sup3" cdata="&#179;"/> <!--superscript three = superscript digit three= cubed, U+00B3 ISOnum -->
> + <entity name="acute" cdata="&#180;"/> <!--acute accent = spacing acute, U+00B4 ISOdia -->
> + <entity name="micro" cdata="&#181;"/> <!--micro sign, U+00B5 ISOnum -->
> + <entity name="para" cdata="&#182;"/> <!--pilcrow sign = paragraph sign, U+00B6 ISOnum -->
> + <entity name="middot" cdata="&#183;"/> <!--middle dot = Georgian comma = Greek middle dot, U+00B7 ISOnum -->
> + <entity name="cedil" cdata="&#184;"/> <!--cedilla = spacing cedilla, U+00B8 ISOdia -->
> + <entity name="sup1" cdata="&#185;"/> <!--superscript one = superscript digit one,U+00B9 ISOnum -->
> + <entity name="ordm" cdata="&#186;"/> <!--masculine ordinal indicator, U+00BA ISOnum -->
> + <entity name="raquo" cdata="&#187;"/> <!--right-pointing double angle quotation mark = right pointing guillemet,
> U+00BB ISOnum -->
> + <entity name="frac14" cdata="&#188;"/> <!--vulgar fraction one quarter = fraction one quarter, U+00BC ISOnum -->
> + <entity name="frac12" cdata="&#189;"/> <!--vulgar fraction one half = fraction one half, U+00BD ISOnum -->
> + <entity name="frac34" cdata="&#190;"/> <!--vulgar fraction three quarters = fraction three quarters, U+00BE
> ISOnum -->
> + <entity name="iquest" cdata="&#191;"/> <!--inverted question mark = turned question mark, U+00BF ISOnum -->
> + <entity name="Agrave" cdata="&#192;"/> <!--latin capital letter A with grave = latin capital letter A grave,U+00C0
> ISOlat1 -->
> + <entity name="Aacute" cdata="&#193;"/> <!--latin capital letter A with acute,U+00C1 ISOlat1 -->
> + <entity name="Acirc" cdata="&#194;"/> <!--latin capital letter A with circumflex,U+00C2 ISOlat1 -->
> + <entity name="Atilde" cdata="&#195;"/> <!--latin capital letter A with tilde,U+00C3 ISOlat1 -->
> + <entity name="Auml" cdata="&#196;"/> <!--latin capital letter A with diaeresis,U+00C4 ISOlat1 -->
> + <entity name="Aring" cdata="&#197;"/> <!--latin capital letter A with ring above = latin capital letter A ring,
> U+00C5 ISOlat1 -->
> + <entity name="AElig" cdata="&#198;"/> <!--latin capital letter AE = latin capital ligature AE, U+00C6 ISOlat1 -->
> + <entity name="Ccedil" cdata="&#199;"/> <!--latin capital letter C with cedilla, U+00C7 ISOlat1 -->
> + <entity name="Egrave" cdata="&#200;"/> <!--latin capital letter E with grave, U+00C8 ISOlat1 -->
> + <entity name="Eacute" cdata="&#201;"/> <!--latin capital letter E with acute,U+00C9 ISOlat1 -->
> + <entity name="Ecirc" cdata="&#202;"/> <!--latin capital letter E with circumflex,U+00CA ISOlat1 -->
> + <entity name="Euml" cdata="&#203;"/> <!--latin capital letter E with diaeresis, U+00CB ISOlat1 -->
> + <entity name="Igrave" cdata="&#204;"/> <!--latin capital letter I with grave, U+00CC ISOlat1 -->
> + <entity name="Iacute" cdata="&#205;"/> <!--latin capital letter I with acute, U+00CD ISOlat1 -->
> + <entity name="Icirc" cdata="&#206;"/> <!--latin capital letter I with circumflex, U+00CE ISOlat1 -->
> + <entity name="Iuml" cdata="&#207;"/> <!--latin capital letter I with diaeresis, U+00CF ISOlat1 -->
> + <entity name="ETH" cdata="&#208;"/> <!--latin capital letter ETH, U+00D0 ISOlat1 -->
> + <entity name="Ntilde" cdata="&#209;"/> <!--latin capital letter N with tilde, U+00D1 ISOlat1 -->
> + <entity name="Ograve" cdata="&#210;"/> <!--latin capital letter O with grave, U+00D2 ISOlat1 -->
> + <entity name="Oacute" cdata="&#211;"/> <!--latin capital letter O with acute, U+00D3 ISOlat1 -->
> + <entity name="Ocirc" cdata="&#212;"/> <!--latin capital letter O with circumflex, U+00D4 ISOlat1 -->
> + <entity name="Otilde" cdata="&#213;"/> <!--latin capital letter O with tilde, U+00D5 ISOlat1 -->
> + <entity name="Ouml" cdata="&#214;"/> <!--latin capital letter O with diaeresis, U+00D6 ISOlat1 -->
> + <entity name="times" cdata="&#215;"/> <!--multiplication sign, U+00D7 ISOnum -->
> + <entity name="Oslash" cdata="&#216;"/> <!--latin capital letter O with stroke = latin capital letter O slash, U+00D8
> ISOlat1 -->
> + <entity name="Ugrave" cdata="&#217;"/> <!--latin capital letter U with grave, U+00D9 ISOlat1 -->
> + <entity name="Uacute" cdata="&#218;"/> <!--latin capital letter U with acute, U+00DA ISOlat1 -->
> + <entity name="Ucirc" cdata="&#219;"/> <!--latin capital letter U with circumflex, U+00DB ISOlat1 -->
> + <entity name="Uuml" cdata="&#220;"/> <!--latin capital letter U with diaeresis, U+00DC ISOlat1 -->
> + <entity name="Yacute" cdata="&#221;"/> <!--latin capital letter Y with acute, U+00DD ISOlat1 -->
> + <entity name="THORN" cdata="&#222;"/> <!--latin capital letter THORN, U+00DE ISOlat1 -->
> + <entity name="szlig" cdata="&#223;"/> <!--latin small letter sharp s = ess-zed, U+00DF ISOlat1 -->
> + <entity name="agrave" cdata="&#224;"/> <!--latin small letter a with grave = latin small letter a grave, U+00E0
> ISOlat1 -->
> + <entity name="aacute" cdata="&#225;"/> <!--latin small letter a with acute, U+00E1 ISOlat1 -->
> + <entity name="acirc" cdata="&#226;"/> <!--latin small letter a with circumflex, U+00E2 ISOlat1 -->
> + <entity name="atilde" cdata="&#227;"/> <!--latin small letter a with tilde, U+00E3 ISOlat1 -->
> + <entity name="auml" cdata="&#228;"/> <!--latin small letter a with diaeresis, U+00E4 ISOlat1 -->
> + <entity name="aring" cdata="&#229;"/> <!--latin small letter a with ring above = latin small letter a ring, U+00E5
> ISOlat1 -->
> + <entity name="aelig" cdata="&#230;"/> <!--latin small letter ae = latin small ligature ae, U+00E6 ISOlat1 -->
> + <entity name="ccedil" cdata="&#231;"/> <!--latin small letter c with cedilla, U+00E7 ISOlat1 -->
> + <entity name="egrave" cdata="&#232;"/> <!--latin small letter e with grave, U+00E8 ISOlat1 -->
> + <entity name="eacute" cdata="&#233;"/> <!--latin small letter e with acute, U+00E9 ISOlat1 -->
> + <entity name="ecirc" cdata="&#234;"/> <!--latin small letter e with circumflex, U+00EA ISOlat1 -->
> + <entity name="euml" cdata="&#235;"/> <!--latin small letter e with diaeresis, U+00EB ISOlat1 -->
> + <entity name="igrave" cdata="&#236;"/> <!--latin small letter i with grave, U+00EC ISOlat1 -->
> + <entity name="iacute" cdata="&#237;"/> <!--latin small letter i with acute, U+00ED ISOlat1 -->
> + <entity name="icirc" cdata="&#238;"/> <!--latin small letter i with circumflex, U+00EE ISOlat1 -->
> + <entity name="iuml" cdata="&#239;"/> <!--latin small letter i with diaeresis, U+00EF ISOlat1 -->
> + <entity name="eth" cdata="&#240;"/> <!--latin small letter eth, U+00F0 ISOlat1 -->
> + <entity name="ntilde" cdata="&#241;"/> <!--latin small letter n with tilde, U+00F1 ISOlat1 -->
> + <entity name="ograve" cdata="&#242;"/> <!--latin small letter o with grave, U+00F2 ISOlat1 -->
> + <entity name="oacute" cdata="&#243;"/> <!--latin small letter o with acute, U+00F3 ISOlat1 -->
> + <entity name="ocirc " cdata="&#244;"/> <!--latin small letter o with circumflex, U+00F4 ISOlat1 -->
> + <entity name="otilde" cdata="&#245;"/> <!--latin small letter o with tilde, U+00F5 ISOlat1 -->
> + <entity name="ouml" cdata="&#246;"/> <!--latin small letter o with diaeresis, U+00F6 ISOlat1 -->
> + <entity name="divide" cdata="&#247;"/> <!--division sign, U+00F7 ISOnum -->
> + <entity name="oslash" cdata="&#248;"/> <!--latin small letter o with stroke, = latin small letter o slash, U+00F8
> ISOlat1 -->
> + <entity name="ugrave" cdata="&#249;"/> <!--latin small letter u with grave, U+00F9 ISOlat1 -->
> + <entity name="uacute" cdata="&#250;"/> <!--latin small letter u with acute, U+00FA ISOlat1 -->
> + <entity name="ucirc" cdata="&#251;"/> <!--latin small letter u with circumflex, U+00FB ISOlat1 -->
> + <entity name="uuml" cdata="&#252;"/> <!--latin small letter u with diaeresis, U+00FC ISOlat1 -->
> + <entity name="yacute" cdata="&#253;"/> <!--latin small letter y with acute, U+00FD ISOlat1 -->
> + <entity name="thorn" cdata="&#254;"/> <!--latin small letter thorn, U+00FE ISOlat1 -->
> + <entity name="yuml" cdata="&#255;"/> <!--latin small letter y with diaeresis, U+00FF ISOlat1 -->
> +
> + <entity name="fnof" cdata="&#402;"/> <!--latin small f with hook = function = florin, U+0192 ISOtech -->
> +
> + <!-- Greek -->
> + <entity name="Alpha" cdata="&#913;"/> <!--greek capital letter alpha, U+0391 -->
> + <entity name="Beta" cdata="&#914;"/> <!--greek capital letter beta, U+0392 -->
> + <entity name="Gamma" cdata="&#915;"/> <!--greek capital letter gamma, U+0393 ISOgrk3 -->
> + <entity name="Delta" cdata="&#916;"/> <!--greek capital letter delta, U+0394 ISOgrk3 -->
> + <entity name="Epsilon" cdata="&#917;"/> <!--greek capital letter epsilon, U+0395 -->
> + <entity name="Zeta" cdata="&#918;"/> <!--greek capital letter zeta, U+0396 -->
> + <entity name="Eta" cdata="&#919;"/> <!--greek capital letter eta, U+0397 -->
> + <entity name="Theta" cdata="&#920;"/> <!--greek capital letter theta, U+0398 ISOgrk3 -->
> + <entity name="Iota" cdata="&#921;"/> <!--greek capital letter iota, U+0399 -->
> + <entity name="Kappa" cdata="&#922;"/> <!--greek capital letter kappa, U+039A -->
> + <entity name="Lambda" cdata="&#923;"/> <!--greek capital letter lambda, U+039B ISOgrk3 -->
> + <entity name="Mu" cdata="&#924;"/> <!--greek capital letter mu, U+039C -->
> + <entity name="Nu" cdata="&#925;"/> <!--greek capital letter nu, U+039D -->
> + <entity name="Xi" cdata="&#926;"/> <!--greek capital letter xi, U+039E ISOgrk3 -->
> + <entity name="Omicron" cdata="&#927;"/> <!--greek capital letter omicron, U+039F -->
> + <entity name="Pi" cdata="&#928;"/> <!--greek capital letter pi, U+03A0 ISOgrk3 -->
> + <entity name="Rho" cdata="&#929;"/> <!--greek capital letter rho, U+03A1 -->
> + <!-- there is no Sigmaf, and no U+03A2 character either -->
> + <entity name="Sigma" cdata="&#931;"/> <!--greek capital letter sigma, U+03A3 ISOgrk3 -->
> + <entity name="Tau" cdata="&#932;"/> <!--greek capital letter tau, U+03A4 -->
> + <entity name="Upsilon" cdata="&#933;"/> <!--greek capital letter upsilon,U+03A5 ISOgrk3 -->
> + <entity name="Phi" cdata="&#934;"/> <!--greek capital letter phi,U+03A6 ISOgrk3 -->
> + <entity name="Chi" cdata="&#935;"/> <!--greek capital letter chi, U+03A7 -->
> + <entity name="Psi" cdata="&#936;"/> <!--greek capital letter psi,U+03A8 ISOgrk3 -->
> + <entity name="Omega" cdata="&#937;"/> <!--greek capital letter omega,U+03A9 ISOgrk3 -->
> +
> + <entity name="alpha" cdata="&#945;"/> <!--greek small letter alpha,U+03B1 ISOgrk3 -->
> + <entity name="beta" cdata="&#946;"/> <!--greek small letter beta, U+03B2 ISOgrk3 -->
> + <entity name="gamma" cdata="&#947;"/> <!--greek small letter gamma,U+03B3 ISOgrk3 -->
> + <entity name="delta" cdata="&#948;"/> <!--greek small letter delta,U+03B4 ISOgrk3 -->
> + <entity name="epsilon" cdata="&#949;"/> <!--greek small letter epsilon,U+03B5 ISOgrk3 -->
> + <entity name="zeta" cdata="&#950;"/> <!--greek small letter zeta, U+03B6 ISOgrk3 -->
> + <entity name="eta" cdata="&#951;"/> <!--greek small letter eta, U+03B7 ISOgrk3 -->
> + <entity name="theta" cdata="&#952;"/> <!--greek small letter theta, U+03B8 ISOgrk3 -->
> + <entity name="iota" cdata="&#953;"/> <!--greek small letter iota, U+03B9 ISOgrk3 -->
> + <entity name="kappa" cdata="&#954;"/> <!--greek small letter kappa,U+03BA ISOgrk3 -->
> + <entity name="lambda" cdata="&#955;"/> <!--greek small letter lambda, U+03BB ISOgrk3 -->
> + <entity name="mu" cdata="&#956;"/> <!--greek small letter mu, U+03BC ISOgrk3 -->
> + <entity name="nu" cdata="&#957;"/> <!--greek small letter nu, U+03BD ISOgrk3 -->
> + <entity name="xi" cdata="&#958;"/> <!--greek small letter xi, U+03BE ISOgrk3 -->
> + <entity name="omicron" cdata="&#959;"/> <!--greek small letter omicron, U+03BF NEW -->
> + <entity name="pi" cdata="&#960;"/> <!--greek small letter pi, U+03C0 ISOgrk3 -->
> + <entity name="rho" cdata="&#961;"/> <!--greek small letter rho, U+03C1 ISOgrk3 -->
> + <entity name="sigmaf" cdata="&#962;"/> <!--greek small letter final sigma, U+03C2 ISOgrk3 -->
> + <entity name="sigma" cdata="&#963;"/> <!--greek small letter sigma, U+03C3 ISOgrk3 -->
> + <entity name="tau" cdata="&#964;"/> <!--greek small letter tau, U+03C4 ISOgrk3 -->
> + <entity name="upsilon" cdata="&#965;"/> <!--greek small letter upsilon, U+03C5 ISOgrk3 -->
> + <entity name="phi" cdata="&#966;"/> <!--greek small letter phi, U+03C6 ISOgrk3 -->
> + <entity name="chi" cdata="&#967;"/> <!--greek small letter chi, U+03C7 ISOgrk3 -->
> + <entity name="psi" cdata="&#968;"/> <!--greek small letter psi, U+03C8 ISOgrk3 -->
> + <entity name="omega" cdata="&#969;"/> <!--greek small letter omega, U+03C9 ISOgrk3 -->
> + <entity name="thetasym" cdata="&#977;"/> <!--greek small letter theta symbol, U+03D1 NEW -->
> + <entity name="upsih" cdata="&#978;"/> <!--greek upsilon with hook symbol, U+03D2 NEW -->
> + <entity name="piv" cdata="&#982;"/> <!--greek pi symbol, U+03D6 ISOgrk3 -->
> +
> + <!-- General Punctuation -->
> + <entity name="bull" cdata="&#8226;"/> <!--bullet = black small circle, U+2022 ISOpub -->
> + <!-- bullet is NOT the same as bullet operator, U+2219 -->
> + <entity name="hellip" cdata="&#8230;"/> <!--horizontal ellipsis = three dot leader, U+2026 ISOpub -->
> + <entity name="prime" cdata="&#8242;"/> <!--prime = minutes = feet, U+2032 ISOtech -->
> + <entity name="Prime" cdata="&#8243;"/> <!--double prime = seconds = inches, U+2033 ISOtech -->
> + <entity name="oline" cdata="&#8254;"/> <!--overline = spacing overscore, U+203E NEW -->
> + <entity name="frasl" cdata="&#8260;"/> <!--fraction slash, U+2044 NEW -->
> +
> + <!-- Letterlike Symbols -->
> + <entity name="weierp" cdata="&#8472;"/> <!--script capital P = power set = Weierstrass p, U+2118 ISOamso -->
> + <entity name="image" cdata="&#8465;"/> <!--blackletter capital I = imaginary part, U+2111 ISOamso -->
> + <entity name="real" cdata="&#8476;"/> <!--blackletter capital R = real part symbol, U+211C ISOamso -->
> + <entity name="trade" cdata="&#8482;"/> <!--trade mark sign, U+2122 ISOnum -->
> + <entity name="alefsym" cdata="&#8501;"/> <!--alef symbol = first transfinite cardinal, U+2135 NEW -->
> + <!-- alef symbol is NOT the same as hebrew letter alef,
> + U+05D0 although the same glyph could be used to depict both characters -->
> +
> + <!-- Arrows -->
> + <entity name="larr" cdata="&#8592;"/> <!--leftwards arrow, U+2190 ISOnum -->
> + <entity name="uarr" cdata="&#8593;"/> <!--upwards arrow, U+2191 ISOnum-->
> + <entity name="rarr" cdata="&#8594;"/> <!--rightwards arrow, U+2192 ISOnum -->
> + <entity name="darr" cdata="&#8595;"/> <!--downwards arrow, U+2193 ISOnum -->
> + <entity name="harr" cdata="&#8596;"/> <!--left right arrow, U+2194 ISOamsa -->
> + <entity name="crarr" cdata="&#8629;"/> <!--downwards arrow with corner leftwards
> + = carriage return, U+21B5 NEW -->
> + <entity name="lArr" cdata="&#8656;"/> <!--leftwards double arrow, U+21D0 ISOtech -->
> +
> + <!-- ISO 10646 does not say that lArr is the same as the 'is implied by' arrow
> + but also does not have any other character for that function. So ? lArr can
> + be used for 'is implied by' as ISOtech suggests -->
> +
> + <entity name="uArr" cdata="&#8657;"/> <!--upwards double arrow, U+21D1 ISOamsa -->
> + <entity name="rArr" cdata="&#8658;"/> <!--rightwards double arrow, U+21D2 ISOtech -->
> +
> + <!-- ISO 10646 does not say this is the 'implies' character but does not have
> + another character with this function so ?
> + rArr can be used for 'implies' as ISOtech suggests -->
> +
> + <entity name="dArr" cdata="&#8659;"/> <!--downwards double arrow, U+21D3 ISOamsa -->
> + <entity name="hArr" cdata="&#8660;"/> <!--left right double arrow, U+21D4 ISOamsa -->
> +
> + <!-- Mathematical Operators -->
> + <entity name="forall" cdata="&#8704;"/> <!--for all, U+2200 ISOtech -->
> + <entity name="part" cdata="&#8706;"/> <!--partial differential, U+2202 ISOtech -->
> + <entity name="exist" cdata="&#8707;"/> <!--there exists, U+2203 ISOtech -->
> + <entity name="empty" cdata="&#8709;"/> <!--empty set = null set = diameter,U+2205 ISOamso -->
> + <entity name="nabla" cdata="&#8711;"/> <!--nabla = backward difference, U+2207 ISOtech -->
> + <entity name="isin" cdata="&#8712;"/> <!--element of, U+2208 ISOtech -->
> + <entity name="notin" cdata="&#8713;"/> <!--not an element of, U+2209 ISOtech -->
> + <entity name="ni" cdata="&#8715;"/> <!--contains as member, U+220B ISOtech -->
> +
> + <!-- should there be a more memorable name than 'ni'? -->
> + <entity name="prod" cdata="&#8719;"/> <!--n-ary product = product sign, U+220F ISOamsb -->
> +
> + <!-- prod is NOT the same character as U+03A0 'greek capital letter pi' though
> + the same glyph might be used for both -->
> +
> + <entity name="sum" cdata="&#8721;"/> <!--n-ary sumation, U+2211 ISOamsb -->
> +
> + <!-- sum is NOT the same character as U+03A3 'greek capital letter sigma'
> + though the same glyph might be used for both -->
> +
> + <entity name="minus" cdata="&#8722;"/> <!--minus sign, U+2212 ISOtech -->
> + <entity name="lowast" cdata="&#8727;"/> <!--asterisk operator, U+2217 ISOtech -->
> + <entity name="radic" cdata="&#8730;"/> <!--square root = radical sign, U+221A ISOtech -->
> + <entity name="prop" cdata="&#8733;"/> <!--proportional to, U+221D ISOtech -->
> + <entity name="infin" cdata="&#8734;"/> <!--infinity, U+221E ISOtech -->
> + <entity name="ang" cdata="&#8736;"/> <!--angle, U+2220 ISOamso -->
> + <entity name="and" cdata="&#8743;"/> <!--logical and = wedge, U+2227 ISOtech -->
> + <entity name="or" cdata="&#8744;"/> <!--logical or = vee, U+2228 ISOtech -->
> + <entity name="cap" cdata="&#8745;"/> <!--intersection = cap, U+2229 ISOtech -->
> + <entity name="cup" cdata="&#8746;"/> <!--union = cup, U+222A ISOtech -->
> + <entity name="int" cdata="&#8747;"/> <!--integral, U+222B ISOtech -->
> + <entity name="there4" cdata="&#8756;"/> <!--therefore, U+2234 ISOtech -->
> + <entity name="sim" cdata="&#8764;"/> <!--tilde operator = varies with = similar to, U+223C ISOtech -->
> +
> + <!-- tilde operator is NOT the same character as the tilde, U+007E,
> + although the same glyph might be used to represent both -->
> +
> + <entity name="cong" cdata="&#8773;"/> <!--approximately equal to, U+2245 ISOtech -->
> + <entity name="asymp" cdata="&#8776;"/> <!--almost equal to = asymptotic to, U+2248 ISOamsr -->
> + <entity name="ne" cdata="&#8800;"/> <!--not equal to, U+2260 ISOtech -->
> + <entity name="equiv" cdata="&#8801;"/> <!--identical to, U+2261 ISOtech -->
> + <entity name="le" cdata="&#8804;"/> <!--less-than or equal to, U+2264 ISOtech -->
> + <entity name="ge" cdata="&#8805;"/> <!--greater-than or equal to, U+2265 ISOtech -->
> + <entity name="sub" cdata="&#8834;"/> <!--subset of, U+2282 ISOtech -->
> + <entity name="sup" cdata="&#8835;"/> <!--superset of, U+2283 ISOtech -->
> +
> + <!-- note that nsup, 'not a superset of, U+2283' is not covered by the Symbol
> + font encoding and is not included. Should it be, for symmetry?
> + It is in ISOamsn -->
> +
> + <entity name="nsub" cdata="&#8836;"/> <!--not a subset of, U+2284 ISOamsn -->
> + <entity name="sube" cdata="&#8838;"/> <!--subset of or equal to, U+2286 ISOtech -->
> + <entity name="supe" cdata="&#8839;"/> <!--superset of or equal to, U+2287 ISOtech -->
> + <entity name="oplus" cdata="&#8853;"/> <!--circled plus = direct sum, U+2295 ISOamsb -->
> + <entity name="otimes" cdata="&#8855;"/> <!--circled times = vector product, U+2297 ISOamsb -->
> + <entity name="perp" cdata="&#8869;"/> <!--up tack = orthogonal to = perpendicular, U+22A5 ISOtech -->
> + <entity name="sdot" cdata="&#8901;"/> <!--dot operator, U+22C5 ISOamsb -->
> + <!-- dot operator is NOT the same character as U+00B7 middle dot -->
> +
> + <!-- Miscellaneous Technical -->
> + <entity name="lceil" cdata="&#8968;"/> <!--left ceiling = apl upstile, U+2308 ISOamsc -->
> + <entity name="rceil" cdata="&#8969;"/> <!--right ceiling, U+2309 ISOamsc -->
> + <entity name="lfloor" cdata="&#8970;"/> <!--left floor = apl downstile, U+230A ISOamsc -->
> + <entity name="rfloor" cdata="&#8971;"/> <!--right floor, U+230B ISOamsc -->
> + <entity name="lang" cdata="&#9001;"/> <!--left-pointing angle bracket = bra, U+2329 ISOtech -->
> + <!-- lang is NOT the same character as U+003C 'less than'
> + or U+2039 'single left-pointing angle quotation mark' -->
> + <entity name="rang" cdata="&#9002;"/> <!--right-pointing angle bracket = ket, U+232A ISOtech -->
> + <!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single right-pointing angle quotation mark' -->
> +
> + <!-- Geometric Shapes -->
> + <entity name="loz" cdata="&#9674;"/> <!--lozenge, U+25CA ISOpub -->
> +
> + <!-- Miscellaneous Symbols -->
> + <entity name="spades" cdata="&#9824;"/> <!--black spade suit, U+2660 ISOpub -->
> + <!-- black here seems to mean filled as opposed to hollow -->
> + <entity name="clubs" cdata="&#9827;"/> <!--black club suit = shamrock, U+2663 ISOpub -->
> + <entity name="hearts" cdata="&#9829;"/> <!--black heart suit = valentine, U+2665 ISOpub -->
> + <entity name="diams" cdata="&#9830;"/> <!--black diamond suit, U+2666 ISOpub -->
> +
> + <entity name="quot" cdata="&#34;" /> <!--quotation mark = APL quote, U+0022 ISOnum -->
> + <!-- Latin Extended-A -->
> + <entity name="OElig" cdata="&#338;" /> <!--latin capital ligature OE, U+0152 ISOlat2 -->
> + <entity name="oelig" cdata="&#339;" /> <!--latin small ligature oe, U+0153 ISOlat2 -->
> + <!-- ligature is a misnomer, this is a separate character in some languages -->
> + <entity name="Scaron" cdata="&#352;" /> <!--latin capital letter S with caron, U+0160 ISOlat2 -->
> + <entity name="scaron" cdata="&#353;" /> <!--latin small letter s with caron, U+0161 ISOlat2 -->
> + <entity name="Yuml" cdata="&#376;" /> <!--latin capital letter Y with diaeresis, U+0178 ISOlat2 -->
> +
> + <!-- Spacing Modifier Letters -->
> + <entity name="circ" cdata="&#710;" /> <!--modifier letter circumflex accent, U+02C6 ISOpub -->
> + <entity name="tilde" cdata="&#732;" /> <!--small tilde, U+02DC ISOdia -->
> +
> + <!-- General Punctuation -->
> + <entity name="ensp" cdata="&#8194;"/> <!--en space, U+2002 ISOpub -->
> + <entity name="emsp" cdata="&#8195;"/> <!--em space, U+2003 ISOpub -->
> + <entity name="thinsp" cdata="&#8201;"/> <!--thin space, U+2009 ISOpub -->
> + <entity name="zwnj" cdata="&#8204;"/> <!--zero width non-joiner, U+200C NEW RFC 2070 -->
> + <entity name="zwj" cdata="&#8205;"/> <!--zero width joiner, U+200D NEW RFC 2070 -->
> + <entity name="lrm" cdata="&#8206;"/> <!--left-to-right mark, U+200E NEW RFC 2070 -->
> + <entity name="rlm" cdata="&#8207;"/> <!--right-to-left mark, U+200F NEW RFC 2070 -->
> + <entity name="ndash" cdata="&#8211;"/> <!--en dash, U+2013 ISOpub -->
> + <entity name="mdash" cdata="&#8212;"/> <!--em dash, U+2014 ISOpub -->
> + <entity name="lsquo" cdata="&#8216;"/> <!--left single quotation mark, U+2018 ISOnum -->
> + <entity name="rsquo" cdata="&#8217;"/> <!--right single quotation mark, U+2019 ISOnum -->
> + <entity name="sbquo" cdata="&#8218;"/> <!--single low-9 quotation mark, U+201A NEW -->
> + <entity name="ldquo" cdata="&#8220;"/> <!--left double quotation mark, U+201C ISOnum -->
> + <entity name="rdquo" cdata="&#8221;"/> <!--right double quotation mark, U+201D ISOnum -->
> + <entity name="bdquo" cdata="&#8222;"/> <!--double low-9 quotation mark, U+201E NEW -->
> + <entity name="dagger" cdata="&#8224;"/> <!--dagger, U+2020 ISOpub -->
> + <entity name="Dagger" cdata="&#8225;"/> <!--double dagger, U+2021 ISOpub -->
> + <entity name="permil" cdata="&#8240;"/> <!--per mille sign, U+2030 ISOtech -->
> + <entity name="lsaquo" cdata="&#8249;"/> <!--single left-pointing angle quotation mark, U+2039 ISO proposed -->
> + <!-- lsaquo is proposed but not yet ISO standardized -->
> + <entity name="rsaquo" cdata="&#8250;"/> <!--single right-pointing angle quotation mark, U+203A ISO proposed -->
> + <!-- rsaquo is proposed but not yet ISO standardized -->
> + <entity name="euro" cdata="&#8364;" /> <!--euro sign, U+20AC NEW -->
> + </html-entities>
> +</anti-samy-rules>
>
> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
> ------------------------------------------------------------------------------
> svn:executable = *
>
> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
> ------------------------------------------------------------------------------
> svn:keywords = "Date Rev Author URL Id"
>
> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
> ------------------------------------------------------------------------------
> svn:mime-type = text/xml
>
> Added: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar?rev=742352&view=auto
> ==============================================================================
> Binary file - no diff available.
>
> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
> ------------------------------------------------------------------------------
> svn:executable = *
>
> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
> ------------------------------------------------------------------------------
> svn:mime-type = application/octet-stream
>
> Added: ofbiz/trunk/framework/base/lib/nekohtml.jar
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/nekohtml.jar?rev=742352&view=auto
> ==============================================================================
> Binary file - no diff available.
>
> Propchange: ofbiz/trunk/framework/base/lib/nekohtml.jar
> ------------------------------------------------------------------------------
> svn:mime-type = application/octet-stream
>
> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java (original)
> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java Mon Feb 9 09:34:34 2009
> @@ -18,10 +18,6 @@
> *******************************************************************************/
> package org.ofbiz.base.util;
>
> -import javolution.util.FastList;
> -import javolution.util.FastMap;
> -import javolution.util.FastSet;
> -
> import java.io.UnsupportedEncodingException;
> import java.net.URLDecoder;
> import java.net.URLEncoder;
> @@ -34,15 +30,23 @@
> import java.util.regex.Matcher;
> import java.util.regex.Pattern;
>
> +import javolution.util.FastList;
> +import javolution.util.FastMap;
> +import javolution.util.FastSet;
> +
> import org.apache.commons.codec.DecoderException;
> import org.apache.commons.codec.binary.Hex;
> import org.owasp.esapi.Encoder;
> +import org.owasp.esapi.ValidationErrorList;
> +import org.owasp.esapi.Validator;
> import org.owasp.esapi.codecs.CSSCodec;
> import org.owasp.esapi.codecs.Codec;
> import org.owasp.esapi.codecs.HTMLEntityCodec;
> import org.owasp.esapi.codecs.JavaScriptCodec;
> import org.owasp.esapi.codecs.PercentCodec;
> +import org.owasp.esapi.errors.EncodingException;
> import org.owasp.esapi.reference.DefaultEncoder;
> +import org.owasp.esapi.reference.DefaultValidator;
>
> /**
> * Misc String Utility Functions
> @@ -55,12 +59,12 @@
> /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to true
> for exceptions and more security */
> public static final boolean esapiCanonicalizeStrict = false;
> public static final Encoder defaultWebEncoder;
> - //public static final Validator defaultWebValidator;
> + public static final Validator defaultWebValidator;
> static {
> // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec,
> VBScriptCodec, WindowsCodec
> List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
> defaultWebEncoder = new DefaultEncoder(codecList);
> - //defaultWebValidator = new DefaultValidator();
> + defaultWebValidator = new DefaultValidator();
> }
>
> public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
> @@ -82,6 +86,8 @@
> }
> }
>
> + // ================== Begin General Functions ==================
> +
> public static String internString(String value) {
> return value != null ? value.intern() : null;
> }
> @@ -459,6 +465,72 @@
> }
>
> /**
> + * Uses a black-list approach for necessary characters for HTML.
> + * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and "%"
> (if not followed by a space).
> + *
> + * @param value
> + * @param errorMessageList
> + */
> + public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList) {
> + if (UtilValidate.isEmpty(value)) return value;
> +
> + // canonicalize, strict (error on double-encoding)
> + try {
> + value = defaultWebEncoder.canonicalize(value, true);
> + } catch (EncodingException e) {
> + // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical
> + Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for
> attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module);
> + errorMessageList.add("In field [" + valueName + "] found character espacing (mixed or double) that is not allowed or
> other format consistency error: " + e.toString());
> + }
> +
> + // check for "<", ">"
> + if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {
> + errorMessageList.add("In field [" + valueName + "] greater-than (>) and less-than (<) symbols are not allowed.");
> + }
> +
> + // check for & not followed by a space (can be used for escaping chars)
> + int curAmpIndex = value.indexOf("&");
> + while (curAmpIndex >= 0) {
> + if (' ' != value.charAt(curAmpIndex + 1)) {
> + errorMessageList.add("In field [" + valueName + "] the ampersand (&) symbol is only allowed if followed by a
> space.");
> + // once we find one like this we have the message so no need to check for more
> + break;
> + }
> + curAmpIndex = value.indexOf("&", curAmpIndex + 1);
> + }
> +
> + // check for % not followed by a space (can be used for escaping chars)
> + int curPercIndex = value.indexOf("%");
> + while (curPercIndex >= 0) {
> + if (' ' != value.charAt(curPercIndex + 1)) {
> + errorMessageList.add("In field [" + valueName + "] the percent (%) symbol is only allowed if followed by a
> space.");
> + // once we find one like this we have the message so no need to check for more
> + break;
> + }
> + curPercIndex = value.indexOf("%", curPercIndex + 1);
> + }
> +
> + // TODO: anything else to check for that can be used to get HTML or JavaScript going without these characters?
> +
> + return value;
> + }
> +
> + /**
> + * Uses a white-list approach to check for safe HTML.
> + * Based on the ESAPI validator configured in the antisamy-esapi.xml file.
> + *
> + * @param value
> + * @param errorMessageList
> + * @return String with updated value if needed for safer HTML.
> + */
> + public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) {
> + ValidationErrorList vel = new ValidationErrorList();
> + value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel);
> + errorMessageList.addAll(vel.errors());
> + return value;
> + }
> +
> + /**
> * Translates various HTML characters in a string so that the string can be displayed in a browser safely
> * <p>
> * This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or
> @@ -473,6 +545,8 @@
> * <li>'>' (greater than) becomes '>'
> * <li>\n (Carriage Return) becomes '<br>gt;'
> * </ol>
> + *
> + * @deprecated Use StringUtil.htmlEncoder instead.
> */
> public static String htmlSpecialChars(String html, boolean doubleQuotes, boolean singleQuotes, boolean insertBR) {
> html = StringUtil.replaceString(html, "&", "&");
>
> Modified: ofbiz/trunk/framework/service/dtd/services.xsd
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/service/dtd/services.xsd (original)
> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Feb 9 09:34:34 2009
> @@ -268,6 +268,16 @@
> </xs:restriction>
> </xs:simpleType>
> </xs:attribute>
> + <xs:attribute name="allow-html" use="optional" default="none">
> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute"
> element.</xs:documentation></xs:annotation>
> + <xs:simpleType>
> + <xs:restriction base="xs:token">
> + <xs:enumeration value="any"/>
> + <xs:enumeration value="safe"/>
> + <xs:enumeration value="none"/>
> + </xs:restriction>
> + </xs:simpleType>
> + </xs:attribute>
> </xs:attributeGroup>
> <xs:element name="exclude">
> <xs:complexType>
> @@ -321,6 +331,22 @@
> </xs:restriction>
> </xs:simpleType>
> </xs:attribute>
> + <xs:attribute name="allow-html" use="optional" default="none">
> + <xs:annotation><xs:documentation>
> + Applies only to String fields.
> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating
> input from users, other systems, etc).
> + Defualts to "none" meaning no HTML is allowed (will result in an error message).
> + If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This should
> be safe for both internal and public users.
> + In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check the
> HTML content at all.
> + </xs:documentation></xs:annotation>
> + <xs:simpleType>
> + <xs:restriction base="xs:token">
> + <xs:enumeration value="any"/>
> + <xs:enumeration value="safe"/>
> + <xs:enumeration value="none"/>
> + </xs:restriction>
> + </xs:simpleType>
> + </xs:attribute>
> </xs:attributeGroup>
> <xs:element name="override">
> <xs:complexType>
> @@ -362,6 +388,16 @@
> </xs:restriction>
> </xs:simpleType>
> </xs:attribute>
> + <xs:attribute name="allow-html" use="optional">
> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element. Note
> that it is slightly different here as there is no defualt.</xs:documentation></xs:annotation>
> + <xs:simpleType>
> + <xs:restriction base="xs:token">
> + <xs:enumeration value="any"/>
> + <xs:enumeration value="safe"/>
> + <xs:enumeration value="none"/>
> + </xs:restriction>
> + </xs:simpleType>
> + </xs:attribute>
> </xs:attributeGroup>
> <xs:element name="type-validate">
> <xs:complexType>
>
> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java (original)
> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java Mon Feb 9 09:34:34 2009
> @@ -22,9 +22,8 @@
>
> import javolution.util.FastMap;
>
> -import org.ofbiz.entity.GenericDelegator;
> -import org.ofbiz.entity.GenericEntityException;
> import org.ofbiz.base.util.Debug;
> +import org.ofbiz.entity.GenericDelegator;
>
> /**
> * Generic Services Local Dispatcher
> @@ -130,15 +129,15 @@
> }
>
> public void disableEcas(){
> - this.ecasDisabled = true;
> + ecasDisabled = true;
> }
>
> public void enableEcas() {
> - this.ecasDisabled = false;
> + ecasDisabled = false;
> }
>
> public boolean isEcasDisabled() {
> - return this.ecasDisabled;
> + return ecasDisabled;
> }
>
> /**
>
> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java (original)
> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java Mon Feb 9 09:34:34 2009
> @@ -35,6 +35,7 @@
> /**
> * Generic Service Model Parameter
> */
> +@SuppressWarnings("serial")
> public class ModelParam implements Serializable {
>
> public static final String module = ModelParam.class.getName();
> @@ -77,6 +78,9 @@
> public boolean formDisplay = true;
> public boolean overrideFormDisplay = false;
>
> + /** Default value */
> + public String allowHtml = null;
> +
> /** Is this Parameter set internally? */
> public boolean internal = false;
>
> @@ -97,6 +101,7 @@
> this.overrideOptional = param.overrideOptional;
> this.formDisplay = param.formDisplay;
> this.overrideFormDisplay = param.overrideFormDisplay;
> + this.allowHtml = param.allowHtml;
> this.internal = param.internal;
> }
>
> @@ -190,6 +195,7 @@
> buf.append(overrideOptional).append("::");
> buf.append(formDisplay).append("::");
> buf.append(overrideFormDisplay).append("::");
> + buf.append(allowHtml).append("::");
> buf.append(defaultValue).append("::");
> buf.append(internal);
> if (validators != null)
>
> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java (original)
> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java Mon Feb 9 09:34:34 2009
> @@ -58,7 +58,7 @@
> import org.ofbiz.base.util.Debug;
> import org.ofbiz.base.util.GeneralException;
> import org.ofbiz.base.util.ObjectType;
> -import org.ofbiz.base.util.UtilDateTime;
> +import org.ofbiz.base.util.StringUtil;
> import org.ofbiz.base.util.UtilMisc;
> import org.ofbiz.base.util.UtilProperties;
> import org.ofbiz.base.util.UtilValidate;
> @@ -75,6 +75,7 @@
> /**
> * Generic Service Model Class
> */
> +@SuppressWarnings("serial")
> public class ModelService extends AbstractMap<String, Object> implements Serializable {
> private static final Field[] MODEL_SERVICE_FIELDS;
> private static final Map<String, Field> MODEL_SERVICE_FIELD_MAP = FastMap.newInstance();
> @@ -459,16 +460,16 @@
> * @param test The Map object to test
> * @param mode Test either mode IN or mode OUT
> */
> - public void validate(Map<String, ? extends Object> test, String mode, Locale locale) throws ServiceValidationException {
> + public void validate(Map<String, Object> context, String mode, Locale locale) throws ServiceValidationException {
> Map<String, String> requiredInfo = FastMap.newInstance();
> Map<String, String> optionalInfo = FastMap.newInstance();
> boolean verboseOn = Debug.verboseOn();
>
> - if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + test, module);
> + if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + context,
> module);
>
> // do not validate results with errors
> - if (mode.equals(OUT_PARAM) && test != null && test.containsKey(RESPONSE_MESSAGE)) {
> - if (RESPOND_ERROR.equals(test.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(test.get(RESPONSE_MESSAGE))) {
> + if (mode.equals(OUT_PARAM) && context != null && context.containsKey(RESPONSE_MESSAGE)) {
> + if (RESPOND_ERROR.equals(context.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(context.get(RESPONSE_MESSAGE))) {
> if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : response was an error, not
> validating.", module);
> return;
> }
> @@ -490,8 +491,8 @@
> Map<String, Object> requiredTest = FastMap.newInstance();
> Map<String, Object> optionalTest = FastMap.newInstance();
>
> - if (test == null) test = FastMap.newInstance();
> - requiredTest.putAll(test);
> + if (context == null) context = FastMap.newInstance();
> + requiredTest.putAll(context);
>
> List<String> requiredButNull = FastList.newInstance();
> List<String> keyList = FastList.newInstance();
> @@ -545,6 +546,30 @@
> Debug.logError("[ModelService.validate] : {" + name + "} : (" + mode + ") Required test error: " + e.toString(),
> module);
> throw e;
> }
> +
> + // required and type validation complete, do allow-html validation
> + if ("IN".equals(mode)) {
> + List<String> errorMessageList = FastList.newInstance();
> + for (ModelParam modelParam: this.contextInfo.values()) {
> + if (context.get(modelParam.name) != null &&
> + ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) &&
> + !"any".equals(modelParam.allowHtml) &&
> + ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) {
> + // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input
> parameter validation
> + String value = (String) context.get(modelParam.name);
> + if ("none".equals(modelParam.allowHtml)) {
> + value = StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList);
> + context.put(modelParam.name, value);
> + } else if ("safe".equals(modelParam.allowHtml)) {
> + value = StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList);
> + context.put(modelParam.name, value);
> + }
> + }
> + }
> + if (errorMessageList.size() > 0) {
> + throw new ServiceValidationException(errorMessageList, this, mode);
> + }
> + }
> }
>
> /**
>
> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?rev=742352&r1=742351&r2=742352&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java (original)
> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java Mon Feb 9 09:34:34 2009
> @@ -56,7 +56,7 @@
> /**
> * Generic Service - Service Definition Reader
> */
> -
> +@SuppressWarnings("serial")
> public class ModelServiceReader implements Serializable {
>
> public static final String module = ModelServiceReader.class.getName();
> @@ -510,6 +510,7 @@
> param.mode = UtilXml.checkEmpty(autoElement.getAttribute("mode")).intern();
> param.optional = "true".equalsIgnoreCase(autoElement.getAttribute("optional")); // default to true
> param.formDisplay = !"false".equalsIgnoreCase(autoElement.getAttribute("form-display")); // default to
> false
> + param.allowHtml = UtilXml.checkEmpty(autoElement.getAttribute("allow-html"), "none").intern(); //
> default to none
> modelParamMap.put(field.getName(), param);
> }
> }
> @@ -532,7 +533,7 @@
> Debug.logError(e, "Problem loading auto-attributes [" + entityName + "] for " + service.name, module);
> } catch (GeneralException e) {
> Debug.logError(e, "Cannot load auto-attributes : " + e.getMessage() + " for " + service.name, module);
> - }
> + }
> }
> }
>
> @@ -551,6 +552,7 @@
> param.formLabel = attribute.hasAttribute("form-label")?attribute.getAttribute("form-label").intern():null;
> param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true
> param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form-display")); // default to false
> + param.allowHtml = UtilXml.checkEmpty(attribute.getAttribute("allow-html"), "none").intern(); // default to none
>
> // default value
> String defValue = attribute.getAttribute("default-value");
> @@ -644,8 +646,8 @@
> }
>
> protected void createOverrideDefs(Element baseElement, ModelService service) {
> - for (Element attribute: UtilXml.childElementList(baseElement, "override")) {
> - String name = UtilXml.checkEmpty(attribute.getAttribute("name"));
> + for (Element overrideElement: UtilXml.childElementList(baseElement, "override")) {
> + String name = UtilXml.checkEmpty(overrideElement.getAttribute("name"));
> ModelParam param = service.getParam(name);
> boolean directToParams = true;
> if (param == null) {
> @@ -662,38 +664,42 @@
>
> if (param != null) {
> // set only modified values
> - if (attribute.getAttribute("type") != null && attribute.getAttribute("type").length() > 0) {
> - param.type = UtilXml.checkEmpty(attribute.getAttribute("type")).intern();
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("type"))) {
> + param.type = UtilXml.checkEmpty(overrideElement.getAttribute("type")).intern();
> }
> - if (attribute.getAttribute("mode") != null && attribute.getAttribute("mode").length() > 0) {
> - param.mode = UtilXml.checkEmpty(attribute.getAttribute("mode")).intern();
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("mode"))) {
> + param.mode = UtilXml.checkEmpty(overrideElement.getAttribute("mode")).intern();
> }
> - if (attribute.getAttribute("entity-name") != null && attribute.getAttribute("entity-name").length() > 0) {
> - param.entityName = UtilXml.checkEmpty(attribute.getAttribute("entity-name")).intern();
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("entity-name"))) {
> + param.entityName = UtilXml.checkEmpty(overrideElement.getAttribute("entity-name")).intern();
> }
> - if (attribute.getAttribute("field-name") != null && attribute.getAttribute("field-name").length() > 0) {
> - param.fieldName = UtilXml.checkEmpty(attribute.getAttribute("field-name")).intern();
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("field-name"))) {
> + param.fieldName = UtilXml.checkEmpty(overrideElement.getAttribute("field-name")).intern();
> }
> - if (attribute.getAttribute("form-label") != null && attribute.getAttribute("form-label").length() > 0) {
> - param.formLabel = UtilXml.checkEmpty(attribute.getAttribute("form-label")).intern();
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-label"))) {
> + param.formLabel = UtilXml.checkEmpty(overrideElement.getAttribute("form-label")).intern();
> }
> - if (attribute.getAttribute("optional") != null && attribute.getAttribute("optional").length() > 0) {
> - param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("optional"))) {
> + param.optional = "true".equalsIgnoreCase(overrideElement.getAttribute("optional")); // default to true
> param.overrideOptional = true;
> }
> - if (attribute.getAttribute("form-display") != null && attribute.getAttribute("form-display").length() > 0) {
> - param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form-display")); // default to false
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-display"))) {
> + param.formDisplay = !"false".equalsIgnoreCase(overrideElement.getAttribute("form-display")); // default to
> false
> param.overrideFormDisplay = true;
> }
>
> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("allow-html"))) {
> + param.allowHtml = UtilXml.checkEmpty(overrideElement.getAttribute("allow-html")).intern();
> + }
> +
> // default value
> - String defValue = attribute.getAttribute("default-value");
> + String defValue = overrideElement.getAttribute("default-value");
> if (UtilValidate.isNotEmpty(defValue)) {
> param.setDefaultValue(defValue);
> }
>
> // override validators
> - this.addValidators(attribute, param);
> + this.addValidators(overrideElement, param);
>
> if (directToParams) {
> service.addParam(param);
>
>
Re: svn commit: r742352 - in /ofbiz/trunk/framework: base/config/ base/lib/ base/src/org/ofbiz/base/util/ service/dtd/ service/src/org/ofbiz/service/
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "David E Jones" <da...@hotwaxmedia.com>
>
> Jacques,
>
> Could you be more specific? I apologize, I'd like to comment but I actually have no idea what you are talking about...
>
> Is there an example somewhere of what is not working the way you would like it to?
No longer since I changed in r742668.
> The old issue items would be really helpful here:
>
> 1. what did you do (steps to reproduce)
> 2. what did you expect to happen
> 3. what actually happened
You could use the the infos from https://issues.apache.org/jira/browse/OFBIZ-2171 but you will need to revert this commit before.
Thanks
Jacques
> Thanks,
> -David
>
>
> On Feb 10, 2009, at 3:36 AM, Jacques Le Roux wrote:
>
>> Hi David,
>>
>> I don't know if it's intentionnal or not : before error messages could contains HTML tags (<ul> <li> was used for instance for
>> "layout").
>> So in https://issues.apache.org/jira/browse/OFBIZ-2171?focusedCommentId=12671952 #action_12671952 I did not used the old
>> behaviour with these HTML tags (which I think have not been well migrated from DefaultMessages.properties).
>> This because we agreed to not use anymore HTML tags in labels, and especially because it was not working anymore.
>> I wonder know if we should not keep this mechanims specifically for error messages. Because in case there are several error
>> messages they would be better displayed using the old mechanism
>>
>> What do yout think ?
>>
>> Jacques
>>
>> From: <jo...@apache.org>
>>> Author: jonesde
>>> Date: Mon Feb 9 09:34:34 2009
>>> New Revision: 742352
>>>
>>> URL: http://svn.apache.org/viewvc?rev=742352&view=rev
>>> Log:
>>> Added new allow-html tag on the attribute, auto-attribute, and override elements; has 3 options: none, safe, and any; the
>>> comments in the XSD file describe what each of these do; the important thing to know is that none is the default meaning no
>>> html is allowed; if html is needed use safe and look at the antisamy-esapi.xml file to see policy details; in extreme trust
>>> cases use any where any html is allowed; note that many services need updating which should allow at least safe html, and it
>>> may take some time to discover all of those and get them handled; please send in issues and requests for service attributes
>>> that should allow safe html
>>>
>>> Added:
>>> ofbiz/trunk/framework/base/config/antisamy-esapi.xml (with props)
>>> ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar (with props)
>>> ofbiz/trunk/framework/base/lib/nekohtml.jar (with props)
>>> Modified:
>>> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
>>> ofbiz/trunk/framework/service/dtd/services.xsd
>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ GenericDispatcher.java
>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java
>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelService.java
>>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelServiceReader.java
>>>
>>> Added: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/antisamy-esapi.xml?rev=742352&view=auto
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/base/config/antisamy-esapi.xml (added)
>>> +++ ofbiz/trunk/framework/base/config/antisamy-esapi.xml Mon Feb 9 09:34:34 2009
>>> @@ -0,0 +1,479 @@
>>> +<?xml version="1.0" encoding="ISO-8859-1"?>
>>> +<!-- +Based on the default ESAPI.properties file, which is BSD licensed.
>>> +
>>> +Licensed to the Apache Software Foundation (ASF) under one
>>> +or more contributor license agreements. See the NOTICE file
>>> +distributed with this work for additional information
>>> +regarding copyright ownership. The ASF licenses this file
>>> +to you under the Apache License, Version 2.0 (the
>>> +"License"); you may not use this file except in compliance
>>> +with the License. You may obtain a copy of the License at
>>> +
>>> +http://www.apache.org/licenses/LICENSE-2.0
>>> +
>>> +Unless required by applicable law or agreed to in writing,
>>> +software distributed under the License is distributed on an
>>> +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> +KIND, either express or implied. See the License for the
>>> +specific language governing permissions and limitations
>>> +under the License.
>>> +-->
>>> +
>>> +<!-- +W3C rules retrieved from:
>>> +http://www.w3.org/TR/html401/struct/global.html
>>> +-->
>>> +
>>> +<!--
>>> +Slashdot allowed tags taken from "Reply" page:
>>> +<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
>>> +-->
>>> +
>>> +<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:noNamespaceSchemaLocation="antisamy.xsd">
>>> + <directives>
>>> + <directive name="omitXmlDeclaration" value="true"/>
>>> + <directive name="omitDoctypeDeclaration" value="true"/>
>>> + <directive name="maxInputSize" value="5000"/>
>>> + <directive name="embedStyleSheets" value="false"/>
>>> + </directives>
>>> + <common-regexps>
>>> + <!-- + From W3C:
>>> + This attribute assigns a class name or set of class names to an
>>> + element. Any number of elements may be assigned the same class
>>> + name or names. Multiple class names must be separated by white
>>> + space characters.
>>> + -->
>>> +
>>> + <regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\ \(\)]*"/> <!-- force non-empty with a '+' at the end
>>> instead of '*' -->
>>> + <regexp name="onsiteURL" value="([\w\\/\.\?=&;\#-~]+| \#(\w)+)"/>
>>> + <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)
>>> [A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
>>> + </common-regexps>
>>> +
>>> + <!-- +
>>> + Tag.name = a, b, div, body, etc.
>>> + Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag
>>> and contents
>>> + Attribute.name = id, class, href, align, width, etc.
>>> + Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute
>>> (removeAttribute), filter the tag (filterTag)
>>> + Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful
>>> things so they'll be able to tune their HTML
>>> +
>>> + -->
>>> +
>>> + <!-- + Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make
>>> sure there's no
>>> + collisions between any of these attribute names with attribute names of other tags that are for different purposes.
>>> + -->
>>> + <common-attributes>
>>> + <attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute
>>> values and content are written in">
>>> + <regexp-list>
>>> + <regexp value="[a-zA-Z]{2,20}"/>
>>> + </regexp-list>
>>> + </attribute>
>>> + <attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user
>>> hovers their mouse over the element">
>>> + <regexp-list>
>>> + <regexp name="htmlTitle"/>
>>> + </regexp-list>
>>> + </attribute>
>>> + <attribute name="href" onInvalid="filterTag">
>>> + <regexp-list>
>>> + <regexp name="onsiteURL"/>
>>> + <regexp name="offsiteURL"/>
>>> + </regexp-list>
>>> + </attribute>
>>> + <attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left',
>>> 'right' or 'center'">
>>> + <literal-list>
>>> + <literal value="center"/>
>>> + <literal value="left"/>
>>> + <literal value="right"/>
>>> + <literal value="justify"/>
>>> + <literal value="char"/>
>>> + </literal-list>
>>> + </attribute>
>>> + </common-attributes>
>>> +
>>> + <!--
>>> + This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars
>>> continue
>>> + this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war
>>> after
>>> + a while?
>>> + -->
>>> + <global-tag-attributes>
>>> + <attribute name="title"/>
>>> + <attribute name="lang"/>
>>> + </global-tag-attributes>
>>> + <tag-rules>
>>> + <!-- Tags related to JavaScript -->
>>> + <tag name="script" action="remove"/>
>>> + <tag name="noscript" action="remove"/>
>>> +
>>> + <!-- Frame & related tags -->
>>> + <tag name="iframe" action="remove"/>
>>> + <tag name="frameset" action="remove"/>
>>> + <tag name="frame" action="remove"/>
>>> + <tag name="noframes" action="remove"/>
>>> +
>>> + <!-- All reasonable formatting tags -->
>>> + <tag name="p" action="validate">
>>> + <attribute name="align"/>
>>> + </tag>
>>> +
>>> + <tag name="div" action="validate"/>
>>> + <tag name="i" action="validate"/>
>>> + <tag name="b" action="validate"/>
>>> + <tag name="em" action="validate"/>
>>> + <tag name="blockquote" action="validate"/>
>>> + <tag name="tt" action="validate"/>
>>> +
>>> + <tag name="br" action="truncate"/>
>>> +
>>> + <!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag=""
>>> attribute -->
>>> + <tag name="quote" action="validate"/>
>>> + <tag name="ecode" action="validate"/>
>>> +
>>> + <!-- Anchor and anchor related tags -->
>>> + <tag name="a" action="validate">
>>> + <attribute name="href" onInvalid="filterTag"/>
>>> + <attribute name="nohref">
>>> + <literal-list>
>>> + <literal value="nohref"/>
>>> + <literal value=""/>
>>> + </literal-list>
>>> + </attribute>
>>> + <attribute name="rel">
>>> + <literal-list>
>>> + <literal value="nofollow"/>
>>> + </literal-list>
>>> + </attribute>
>>> + </tag>
>>> +
>>> + <!-- List tags -->
>>> + <tag name="ul" action="validate"/>
>>> + <tag name="ol" action="validate"/>
>>> + <tag name="li" action="validate"/>
>>> + </tag-rules>
>>> +
>>> + <!-- No CSS on Slashdot posts -->
>>> + <css-rules>
>>> + </css-rules>
>>> +
>>> + <html-entities>
>>> + <entity name="amp" cdata="&"/>
>>> + <entity name="nbsp" cdata="&#160;"/>
>>> +
>>> + <entity name="iexcl" cdata="&#161;"/> <!--inverted exclamation mark, U+00A1 ISOnum -->
>>> + <entity name="cent" cdata="&#162;"/> <!--cent sign, U +00A2 ISOnum -->
>>> + <entity name="pound" cdata="&#163;"/> <!--pound sign, U +00A3 ISOnum -->
>>> + <entity name="curren" cdata="&#164;"/> <!--currency sign, U+00A4 ISOnum -->
>>> + <entity name="yen" cdata="&#165;"/> <!--yen sign = yuan sign, U+00A5 ISOnum -->
>>> + <entity name="brvbar" cdata="&#166;"/> <!--broken bar = broken vertical bar, U+00A6 ISOnum -->
>>> + <entity name="sect" cdata="&#167;"/> <!--section sign, U+00A7 ISOnum -->
>>> + <entity name="uml" cdata="&#168;"/> <!--diaeresis = spacing diaeresis, U+00A8 ISOdia -->
>>> + <entity name="copy" cdata="&#169;"/> <!--copyright sign, U+00A9 ISOnum -->
>>> + <entity name="ordf" cdata="&#170;"/> <!--feminine ordinal indicator, U+00AA ISOnum -->
>>> + <entity name="laquo" cdata="&#171;"/> <!--left- pointing double angle quotation mark = left pointing guillemet, U
>>> +00AB ISOnum -->
>>> + <entity name="not" cdata="&#172;"/> <!--not sign, U +00AC ISOnum -->
>>> + <entity name="shy" cdata="&#173;"/> <!--soft hyphen = discretionary hyphen,U+00AD ISOnum -->
>>> + <entity name="reg" cdata="&#174;"/> <!--registered sign = registered trade mark sign, U+00AE ISOnum -->
>>> + <entity name="macr" cdata="&#175;"/> <!--macron = spacing macron = overline = APL overbar, U+00AF ISOdia -->
>>> + <entity name="deg" cdata="&#176;"/> <!--degree sign, U +00B0 ISOnum -->
>>> + <entity name="plusmn" cdata="&#177;"/> <!--plus-minus sign = plus-or-minus sign, U+00B1 ISOnum -->
>>> + <entity name="sup2" cdata="&#178;"/> <!--superscript two = superscript digit two = squared, U+00B2 ISOnum -->
>>> + <entity name="sup3" cdata="&#179;"/> <!--superscript three = superscript digit three= cubed, U+00B3 ISOnum -->
>>> + <entity name="acute" cdata="&#180;"/> <!--acute accent = spacing acute, U+00B4 ISOdia -->
>>> + <entity name="micro" cdata="&#181;"/> <!--micro sign, U +00B5 ISOnum -->
>>> + <entity name="para" cdata="&#182;"/> <!--pilcrow sign = paragraph sign, U+00B6 ISOnum -->
>>> + <entity name="middot" cdata="&#183;"/> <!--middle dot = Georgian comma = Greek middle dot, U+00B7 ISOnum -->
>>> + <entity name="cedil" cdata="&#184;"/> <!--cedilla = spacing cedilla, U+00B8 ISOdia -->
>>> + <entity name="sup1" cdata="&#185;"/> <!--superscript one = superscript digit one,U+00B9 ISOnum -->
>>> + <entity name="ordm" cdata="&#186;"/> <!--masculine ordinal indicator, U+00BA ISOnum -->
>>> + <entity name="raquo" cdata="&#187;"/> <!--right- pointing double angle quotation mark = right pointing guillemet, U
>>> +00BB ISOnum -->
>>> + <entity name="frac14" cdata="&#188;"/> <!--vulgar fraction one quarter = fraction one quarter, U+00BC ISOnum -->
>>> + <entity name="frac12" cdata="&#189;"/> <!--vulgar fraction one half = fraction one half, U+00BD ISOnum -->
>>> + <entity name="frac34" cdata="&#190;"/> <!--vulgar fraction three quarters = fraction three quarters, U+00BE
>>> ISOnum -->
>>> + <entity name="iquest" cdata="&#191;"/> <!--inverted question mark = turned question mark, U+00BF ISOnum -->
>>> + <entity name="Agrave" cdata="&#192;"/> <!--latin capital letter A with grave = latin capital letter A grave,U+00C0
>>> ISOlat1 -->
>>> + <entity name="Aacute" cdata="&#193;"/> <!--latin capital letter A with acute,U+00C1 ISOlat1 -->
>>> + <entity name="Acirc" cdata="&#194;"/> <!--latin capital letter A with circumflex,U+00C2 ISOlat1 -->
>>> + <entity name="Atilde" cdata="&#195;"/> <!--latin capital letter A with tilde,U+00C3 ISOlat1 -->
>>> + <entity name="Auml" cdata="&#196;"/> <!--latin capital letter A with diaeresis,U+00C4 ISOlat1 -->
>>> + <entity name="Aring" cdata="&#197;"/> <!--latin capital letter A with ring above = latin capital letter A ring, U
>>> +00C5 ISOlat1 -->
>>> + <entity name="AElig" cdata="&#198;"/> <!--latin capital letter AE = latin capital ligature AE, U+00C6 ISOlat1 -->
>>> + <entity name="Ccedil" cdata="&#199;"/> <!--latin capital letter C with cedilla, U+00C7 ISOlat1 -->
>>> + <entity name="Egrave" cdata="&#200;"/> <!--latin capital letter E with grave, U+00C8 ISOlat1 -->
>>> + <entity name="Eacute" cdata="&#201;"/> <!--latin capital letter E with acute,U+00C9 ISOlat1 -->
>>> + <entity name="Ecirc" cdata="&#202;"/> <!--latin capital letter E with circumflex,U+00CA ISOlat1 -->
>>> + <entity name="Euml" cdata="&#203;"/> <!--latin capital letter E with diaeresis, U+00CB ISOlat1 -->
>>> + <entity name="Igrave" cdata="&#204;"/> <!--latin capital letter I with grave, U+00CC ISOlat1 -->
>>> + <entity name="Iacute" cdata="&#205;"/> <!--latin capital letter I with acute, U+00CD ISOlat1 -->
>>> + <entity name="Icirc" cdata="&#206;"/> <!--latin capital letter I with circumflex, U+00CE ISOlat1 -->
>>> + <entity name="Iuml" cdata="&#207;"/> <!--latin capital letter I with diaeresis, U+00CF ISOlat1 -->
>>> + <entity name="ETH" cdata="&#208;"/> <!--latin capital letter ETH, U+00D0 ISOlat1 -->
>>> + <entity name="Ntilde" cdata="&#209;"/> <!--latin capital letter N with tilde, U+00D1 ISOlat1 -->
>>> + <entity name="Ograve" cdata="&#210;"/> <!--latin capital letter O with grave, U+00D2 ISOlat1 -->
>>> + <entity name="Oacute" cdata="&#211;"/> <!--latin capital letter O with acute, U+00D3 ISOlat1 -->
>>> + <entity name="Ocirc" cdata="&#212;"/> <!--latin capital letter O with circumflex, U+00D4 ISOlat1 -->
>>> + <entity name="Otilde" cdata="&#213;"/> <!--latin capital letter O with tilde, U+00D5 ISOlat1 -->
>>> + <entity name="Ouml" cdata="&#214;"/> <!--latin capital letter O with diaeresis, U+00D6 ISOlat1 -->
>>> + <entity name="times" cdata="&#215;"/> <!--
>>> multiplication sign, U+00D7 ISOnum -->
>>> + <entity name="Oslash" cdata="&#216;"/> <!--latin capital letter O with stroke = latin capital letter O slash,
>>> U+00D8 ISOlat1 -->
>>> + <entity name="Ugrave" cdata="&#217;"/> <!--latin capital letter U with grave, U+00D9 ISOlat1 -->
>>> + <entity name="Uacute" cdata="&#218;"/> <!--latin capital letter U with acute, U+00DA ISOlat1 -->
>>> + <entity name="Ucirc" cdata="&#219;"/> <!--latin capital letter U with circumflex, U+00DB ISOlat1 -->
>>> + <entity name="Uuml" cdata="&#220;"/> <!--latin capital letter U with diaeresis, U+00DC ISOlat1 -->
>>> + <entity name="Yacute" cdata="&#221;"/> <!--latin capital letter Y with acute, U+00DD ISOlat1 -->
>>> + <entity name="THORN" cdata="&#222;"/> <!--latin capital letter THORN, U+00DE ISOlat1 -->
>>> + <entity name="szlig" cdata="&#223;"/> <!--latin small letter sharp s = ess-zed, U+00DF ISOlat1 -->
>>> + <entity name="agrave" cdata="&#224;"/> <!--latin small letter a with grave = latin small letter a grave, U+00E0
>>> ISOlat1 -->
>>> + <entity name="aacute" cdata="&#225;"/> <!--latin small letter a with acute, U+00E1 ISOlat1 -->
>>> + <entity name="acirc" cdata="&#226;"/> <!--latin small letter a with circumflex, U+00E2 ISOlat1 -->
>>> + <entity name="atilde" cdata="&#227;"/> <!--latin small letter a with tilde, U+00E3 ISOlat1 -->
>>> + <entity name="auml" cdata="&#228;"/> <!--latin small letter a with diaeresis, U+00E4 ISOlat1 -->
>>> + <entity name="aring" cdata="&#229;"/> <!--latin small letter a with ring above = latin small letter a ring, U+00E5
>>> ISOlat1 -->
>>> + <entity name="aelig" cdata="&#230;"/> <!--latin small letter ae = latin small ligature ae, U+00E6 ISOlat1 -->
>>> + <entity name="ccedil" cdata="&#231;"/> <!--latin small letter c with cedilla, U+00E7 ISOlat1 -->
>>> + <entity name="egrave" cdata="&#232;"/> <!--latin small letter e with grave, U+00E8 ISOlat1 -->
>>> + <entity name="eacute" cdata="&#233;"/> <!--latin small letter e with acute, U+00E9 ISOlat1 -->
>>> + <entity name="ecirc" cdata="&#234;"/> <!--latin small letter e with circumflex, U+00EA ISOlat1 -->
>>> + <entity name="euml" cdata="&#235;"/> <!--latin small letter e with diaeresis, U+00EB ISOlat1 -->
>>> + <entity name="igrave" cdata="&#236;"/> <!--latin small letter i with grave, U+00EC ISOlat1 -->
>>> + <entity name="iacute" cdata="&#237;"/> <!--latin small letter i with acute, U+00ED ISOlat1 -->
>>> + <entity name="icirc" cdata="&#238;"/> <!--latin small letter i with circumflex, U+00EE ISOlat1 -->
>>> + <entity name="iuml" cdata="&#239;"/> <!--latin small letter i with diaeresis, U+00EF ISOlat1 -->
>>> + <entity name="eth" cdata="&#240;"/> <!--latin small letter eth, U+00F0 ISOlat1 -->
>>> + <entity name="ntilde" cdata="&#241;"/> <!--latin small letter n with tilde, U+00F1 ISOlat1 -->
>>> + <entity name="ograve" cdata="&#242;"/> <!--latin small letter o with grave, U+00F2 ISOlat1 -->
>>> + <entity name="oacute" cdata="&#243;"/> <!--latin small letter o with acute, U+00F3 ISOlat1 -->
>>> + <entity name="ocirc " cdata="&#244;"/> <!--latin small letter o with circumflex, U+00F4 ISOlat1 -->
>>> + <entity name="otilde" cdata="&#245;"/> <!--latin small letter o with tilde, U+00F5 ISOlat1 -->
>>> + <entity name="ouml" cdata="&#246;"/> <!--latin small letter o with diaeresis, U+00F6 ISOlat1 -->
>>> + <entity name="divide" cdata="&#247;"/> <!--division sign, U+00F7 ISOnum -->
>>> + <entity name="oslash" cdata="&#248;"/> <!--latin small letter o with stroke, = latin small letter o slash, U+00F8
>>> ISOlat1 -->
>>> + <entity name="ugrave" cdata="&#249;"/> <!--latin small letter u with grave, U+00F9 ISOlat1 -->
>>> + <entity name="uacute" cdata="&#250;"/> <!--latin small letter u with acute, U+00FA ISOlat1 -->
>>> + <entity name="ucirc" cdata="&#251;"/> <!--latin small letter u with circumflex, U+00FB ISOlat1 -->
>>> + <entity name="uuml" cdata="&#252;"/> <!--latin small letter u with diaeresis, U+00FC ISOlat1 -->
>>> + <entity name="yacute" cdata="&#253;"/> <!--latin small letter y with acute, U+00FD ISOlat1 -->
>>> + <entity name="thorn" cdata="&#254;"/> <!--latin small letter thorn, U+00FE ISOlat1 -->
>>> + <entity name="yuml" cdata="&#255;"/> <!--latin small letter y with diaeresis, U+00FF ISOlat1 -->
>>> +
>>> + <entity name="fnof" cdata="&#402;"/> <!--latin small f with hook = function = florin, U+0192 ISOtech -->
>>> +
>>> + <!-- Greek -->
>>> + <entity name="Alpha" cdata="&#913;"/> <!--greek capital letter alpha, U+0391 -->
>>> + <entity name="Beta" cdata="&#914;"/> <!--greek capital letter beta, U+0392 -->
>>> + <entity name="Gamma" cdata="&#915;"/> <!--greek capital letter gamma, U+0393 ISOgrk3 -->
>>> + <entity name="Delta" cdata="&#916;"/> <!--greek capital letter delta, U+0394 ISOgrk3 -->
>>> + <entity name="Epsilon" cdata="&#917;"/> <!--greek capital letter epsilon, U+0395 -->
>>> + <entity name="Zeta" cdata="&#918;"/> <!--greek capital letter zeta, U+0396 -->
>>> + <entity name="Eta" cdata="&#919;"/> <!--greek capital letter eta, U+0397 -->
>>> + <entity name="Theta" cdata="&#920;"/> <!--greek capital letter theta, U+0398 ISOgrk3 -->
>>> + <entity name="Iota" cdata="&#921;"/> <!--greek capital letter iota, U+0399 -->
>>> + <entity name="Kappa" cdata="&#922;"/> <!--greek capital letter kappa, U+039A -->
>>> + <entity name="Lambda" cdata="&#923;"/> <!--greek capital letter lambda, U+039B ISOgrk3 -->
>>> + <entity name="Mu" cdata="&#924;"/> <!--greek capital letter mu, U+039C -->
>>> + <entity name="Nu" cdata="&#925;"/> <!--greek capital letter nu, U+039D -->
>>> + <entity name="Xi" cdata="&#926;"/> <!--greek capital letter xi, U+039E ISOgrk3 -->
>>> + <entity name="Omicron" cdata="&#927;"/> <!--greek capital letter omicron, U+039F -->
>>> + <entity name="Pi" cdata="&#928;"/> <!--greek capital letter pi, U+03A0 ISOgrk3 -->
>>> + <entity name="Rho" cdata="&#929;"/> <!--greek capital letter rho, U+03A1 -->
>>> + <!-- there is no Sigmaf, and no U+03A2 character either -->
>>> + <entity name="Sigma" cdata="&#931;"/> <!--greek capital letter sigma, U+03A3 ISOgrk3 -->
>>> + <entity name="Tau" cdata="&#932;"/> <!--greek capital letter tau, U+03A4 -->
>>> + <entity name="Upsilon" cdata="&#933;"/> <!--greek capital letter upsilon,U+03A5 ISOgrk3 -->
>>> + <entity name="Phi" cdata="&#934;"/> <!--greek capital letter phi,U+03A6 ISOgrk3 -->
>>> + <entity name="Chi" cdata="&#935;"/> <!--greek capital letter chi, U+03A7 -->
>>> + <entity name="Psi" cdata="&#936;"/> <!--greek capital letter psi,U+03A8 ISOgrk3 -->
>>> + <entity name="Omega" cdata="&#937;"/> <!--greek capital letter omega,U+03A9 ISOgrk3 -->
>>> +
>>> + <entity name="alpha" cdata="&#945;"/> <!--greek small letter alpha,U+03B1 ISOgrk3 -->
>>> + <entity name="beta" cdata="&#946;"/> <!--greek small letter beta, U+03B2 ISOgrk3 -->
>>> + <entity name="gamma" cdata="&#947;"/> <!--greek small letter gamma,U+03B3 ISOgrk3 -->
>>> + <entity name="delta" cdata="&#948;"/> <!--greek small letter delta,U+03B4 ISOgrk3 -->
>>> + <entity name="epsilon" cdata="&#949;"/> <!--greek small letter epsilon,U+03B5 ISOgrk3 -->
>>> + <entity name="zeta" cdata="&#950;"/> <!--greek small letter zeta, U+03B6 ISOgrk3 -->
>>> + <entity name="eta" cdata="&#951;"/> <!--greek small letter eta, U+03B7 ISOgrk3 -->
>>> + <entity name="theta" cdata="&#952;"/> <!--greek small letter theta, U+03B8 ISOgrk3 -->
>>> + <entity name="iota" cdata="&#953;"/> <!--greek small letter iota, U+03B9 ISOgrk3 -->
>>> + <entity name="kappa" cdata="&#954;"/> <!--greek small letter kappa,U+03BA ISOgrk3 -->
>>> + <entity name="lambda" cdata="&#955;"/> <!--greek small letter lambda, U+03BB ISOgrk3 -->
>>> + <entity name="mu" cdata="&#956;"/> <!--greek small letter mu, U+03BC ISOgrk3 -->
>>> + <entity name="nu" cdata="&#957;"/> <!--greek small letter nu, U+03BD ISOgrk3 -->
>>> + <entity name="xi" cdata="&#958;"/> <!--greek small letter xi, U+03BE ISOgrk3 -->
>>> + <entity name="omicron" cdata="&#959;"/> <!--greek small letter omicron, U+03BF NEW -->
>>> + <entity name="pi" cdata="&#960;"/> <!--greek small letter pi, U+03C0 ISOgrk3 -->
>>> + <entity name="rho" cdata="&#961;"/> <!--greek small letter rho, U+03C1 ISOgrk3 -->
>>> + <entity name="sigmaf" cdata="&#962;"/> <!--greek small letter final sigma, U+03C2 ISOgrk3 -->
>>> + <entity name="sigma" cdata="&#963;"/> <!--greek small letter sigma, U+03C3 ISOgrk3 -->
>>> + <entity name="tau" cdata="&#964;"/> <!--greek small letter tau, U+03C4 ISOgrk3 -->
>>> + <entity name="upsilon" cdata="&#965;"/> <!--greek small letter upsilon, U+03C5 ISOgrk3 -->
>>> + <entity name="phi" cdata="&#966;"/> <!--greek small letter phi, U+03C6 ISOgrk3 -->
>>> + <entity name="chi" cdata="&#967;"/> <!--greek small letter chi, U+03C7 ISOgrk3 -->
>>> + <entity name="psi" cdata="&#968;"/> <!--greek small letter psi, U+03C8 ISOgrk3 -->
>>> + <entity name="omega" cdata="&#969;"/> <!--greek small letter omega, U+03C9 ISOgrk3 -->
>>> + <entity name="thetasym" cdata="&#977;"/> <!--greek small letter theta symbol, U+03D1 NEW -->
>>> + <entity name="upsih" cdata="&#978;"/> <!--greek upsilon with hook symbol, U+03D2 NEW -->
>>> + <entity name="piv" cdata="&#982;"/> <!--greek pi symbol, U+03D6 ISOgrk3 -->
>>> +
>>> + <!-- General Punctuation -->
>>> + <entity name="bull" cdata="&#8226;"/> <!--bullet = black small circle, U+2022 ISOpub -->
>>> + <!-- bullet is NOT the same as bullet operator, U+2219 -->
>>> + <entity name="hellip" cdata="&#8230;"/> <!--horizontal ellipsis = three dot leader, U+2026 ISOpub -->
>>> + <entity name="prime" cdata="&#8242;"/> <!--prime = minutes = feet, U+2032 ISOtech -->
>>> + <entity name="Prime" cdata="&#8243;"/> <!--double prime = seconds = inches, U+2033 ISOtech -->
>>> + <entity name="oline" cdata="&#8254;"/> <!--overline = spacing overscore, U+203E NEW -->
>>> + <entity name="frasl" cdata="&#8260;"/> <!--fraction slash, U+2044 NEW -->
>>> +
>>> + <!-- Letterlike Symbols -->
>>> + <entity name="weierp" cdata="&#8472;"/> <!--script capital P = power set = Weierstrass p, U+2118 ISOamso -->
>>> + <entity name="image" cdata="&#8465;"/> <!--blackletter capital I = imaginary part, U+2111 ISOamso -->
>>> + <entity name="real" cdata="&#8476;"/> <!--blackletter capital R = real part symbol, U+211C ISOamso -->
>>> + <entity name="trade" cdata="&#8482;"/> <!--trade mark sign, U+2122 ISOnum -->
>>> + <entity name="alefsym" cdata="&#8501;"/> <!--alef symbol = first transfinite cardinal, U+2135 NEW -->
>>> + <!-- alef symbol is NOT the same as hebrew letter alef,
>>> + U+05D0 although the same glyph could be used to depict both characters -->
>>> +
>>> + <!-- Arrows -->
>>> + <entity name="larr" cdata="&#8592;"/> <!--leftwards arrow, U+2190 ISOnum -->
>>> + <entity name="uarr" cdata="&#8593;"/> <!--upwards arrow, U+2191 ISOnum-->
>>> + <entity name="rarr" cdata="&#8594;"/> <!--rightwards arrow, U+2192 ISOnum -->
>>> + <entity name="darr" cdata="&#8595;"/> <!--downwards arrow, U+2193 ISOnum -->
>>> + <entity name="harr" cdata="&#8596;"/> <!--left right arrow, U+2194 ISOamsa -->
>>> + <entity name="crarr" cdata="&#8629;"/> <!--downwards arrow with corner leftwards
>>> + = carriage return, U +21B5 NEW -->
>>> + <entity name="lArr" cdata="&#8656;"/> <!--leftwards double arrow, U+21D0 ISOtech -->
>>> +
>>> + <!-- ISO 10646 does not say that lArr is the same as the 'is implied by' arrow
>>> + but also does not have any other character for that function. So ? lArr can
>>> + be used for 'is implied by' as ISOtech suggests -->
>>> +
>>> + <entity name="uArr" cdata="&#8657;"/> <!--upwards double arrow, U+21D1 ISOamsa -->
>>> + <entity name="rArr" cdata="&#8658;"/> <!--rightwards double arrow, U+21D2 ISOtech -->
>>> +
>>> + <!-- ISO 10646 does not say this is the 'implies' character but does not have
>>> + another character with this function so ?
>>> + rArr can be used for 'implies' as ISOtech suggests -->
>>> +
>>> + <entity name="dArr" cdata="&#8659;"/> <!--downwards double arrow, U+21D3 ISOamsa -->
>>> + <entity name="hArr" cdata="&#8660;"/> <!--left right double arrow, U+21D4 ISOamsa -->
>>> +
>>> + <!-- Mathematical Operators -->
>>> + <entity name="forall" cdata="&#8704;"/> <!--for all, U +2200 ISOtech -->
>>> + <entity name="part" cdata="&#8706;"/> <!--partial differential, U+2202 ISOtech -->
>>> + <entity name="exist" cdata="&#8707;"/> <!--there exists, U+2203 ISOtech -->
>>> + <entity name="empty" cdata="&#8709;"/> <!--empty set = null set = diameter,U+2205 ISOamso -->
>>> + <entity name="nabla" cdata="&#8711;"/> <!--nabla = backward difference, U+2207 ISOtech -->
>>> + <entity name="isin" cdata="&#8712;"/> <!--element of, U +2208 ISOtech -->
>>> + <entity name="notin" cdata="&#8713;"/> <!--not an element of, U+2209 ISOtech -->
>>> + <entity name="ni" cdata="&#8715;"/> <!--contains as member, U+220B ISOtech -->
>>> +
>>> + <!-- should there be a more memorable name than 'ni'? -->
>>> + <entity name="prod" cdata="&#8719;"/> <!--n-ary product = product sign, U+220F ISOamsb -->
>>> +
>>> + <!-- prod is NOT the same character as U+03A0 'greek capital letter pi' though
>>> + the same glyph might be used for both -->
>>> +
>>> + <entity name="sum" cdata="&#8721;"/> <!--n-ary sumation, U+2211 ISOamsb -->
>>> +
>>> + <!-- sum is NOT the same character as U+03A3 'greek capital letter sigma'
>>> + though the same glyph might be used for both -->
>>> +
>>> + <entity name="minus" cdata="&#8722;"/> <!--minus sign, U+2212 ISOtech -->
>>> + <entity name="lowast" cdata="&#8727;"/> <!--asterisk operator, U+2217 ISOtech -->
>>> + <entity name="radic" cdata="&#8730;"/> <!--square root = radical sign, U+221A ISOtech -->
>>> + <entity name="prop" cdata="&#8733;"/> <!--proportional to, U+221D ISOtech -->
>>> + <entity name="infin" cdata="&#8734;"/> <!--infinity, U +221E ISOtech -->
>>> + <entity name="ang" cdata="&#8736;"/> <!--angle, U+2220 ISOamso -->
>>> + <entity name="and" cdata="&#8743;"/> <!--logical and = wedge, U+2227 ISOtech -->
>>> + <entity name="or" cdata="&#8744;"/> <!--logical or = vee, U+2228 ISOtech -->
>>> + <entity name="cap" cdata="&#8745;"/> <!--intersection = cap, U+2229 ISOtech -->
>>> + <entity name="cup" cdata="&#8746;"/> <!--union = cup, U +222A ISOtech -->
>>> + <entity name="int" cdata="&#8747;"/> <!--integral, U +222B ISOtech -->
>>> + <entity name="there4" cdata="&#8756;"/> <!--therefore, U+2234 ISOtech -->
>>> + <entity name="sim" cdata="&#8764;"/> <!--tilde operator = varies with = similar to, U+223C ISOtech -->
>>> +
>>> + <!-- tilde operator is NOT the same character as the tilde, U+007E,
>>> + although the same glyph might be used to represent both -->
>>> +
>>> + <entity name="cong" cdata="&#8773;"/> <!--
>>> approximately equal to, U+2245 ISOtech -->
>>> + <entity name="asymp" cdata="&#8776;"/> <!--almost equal to = asymptotic to, U+2248 ISOamsr -->
>>> + <entity name="ne" cdata="&#8800;"/> <!--not equal to, U +2260 ISOtech -->
>>> + <entity name="equiv" cdata="&#8801;"/> <!--identical to, U+2261 ISOtech -->
>>> + <entity name="le" cdata="&#8804;"/> <!--less-than or equal to, U+2264 ISOtech -->
>>> + <entity name="ge" cdata="&#8805;"/> <!--greater-than or equal to, U+2265 ISOtech -->
>>> + <entity name="sub" cdata="&#8834;"/> <!--subset of, U +2282 ISOtech -->
>>> + <entity name="sup" cdata="&#8835;"/> <!--superset of, U +2283 ISOtech -->
>>> +
>>> + <!-- note that nsup, 'not a superset of, U+2283' is not covered by the Symbol
>>> + font encoding and is not included. Should it be, for symmetry?
>>> + It is in ISOamsn -->
>>> +
>>> + <entity name="nsub" cdata="&#8836;"/> <!--not a subset of, U+2284 ISOamsn -->
>>> + <entity name="sube" cdata="&#8838;"/> <!--subset of or equal to, U+2286 ISOtech -->
>>> + <entity name="supe" cdata="&#8839;"/> <!--superset of or equal to, U+2287 ISOtech -->
>>> + <entity name="oplus" cdata="&#8853;"/> <!--circled plus = direct sum, U+2295 ISOamsb -->
>>> + <entity name="otimes" cdata="&#8855;"/> <!--circled times = vector product, U+2297 ISOamsb -->
>>> + <entity name="perp" cdata="&#8869;"/> <!--up tack = orthogonal to = perpendicular, U+22A5 ISOtech -->
>>> + <entity name="sdot" cdata="&#8901;"/> <!--dot operator, U+22C5 ISOamsb -->
>>> + <!-- dot operator is NOT the same character as U+00B7 middle dot -->
>>> +
>>> + <!-- Miscellaneous Technical -->
>>> + <entity name="lceil" cdata="&#8968;"/> <!--left ceiling = apl upstile, U+2308 ISOamsc -->
>>> + <entity name="rceil" cdata="&#8969;"/> <!--right ceiling, U+2309 ISOamsc -->
>>> + <entity name="lfloor" cdata="&#8970;"/> <!--left floor = apl downstile, U+230A ISOamsc -->
>>> + <entity name="rfloor" cdata="&#8971;"/> <!--right floor, U+230B ISOamsc -->
>>> + <entity name="lang" cdata="&#9001;"/> <!--left- pointing angle bracket = bra, U+2329 ISOtech -->
>>> + <!-- lang is NOT the same character as U+003C 'less than'
>>> + or U+2039 'single left-pointing angle quotation mark' -->
>>> + <entity name="rang" cdata="&#9002;"/> <!--right- pointing angle bracket = ket, U+232A ISOtech -->
>>> + <!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single right-pointing angle quotation
>>> mark' -->
>>> +
>>> + <!-- Geometric Shapes -->
>>> + <entity name="loz" cdata="&#9674;"/> <!--lozenge, U +25CA ISOpub -->
>>> +
>>> + <!-- Miscellaneous Symbols -->
>>> + <entity name="spades" cdata="&#9824;"/> <!--black spade suit, U+2660 ISOpub -->
>>> + <!-- black here seems to mean filled as opposed to hollow -->
>>> + <entity name="clubs" cdata="&#9827;"/> <!--black club suit = shamrock, U+2663 ISOpub -->
>>> + <entity name="hearts" cdata="&#9829;"/> <!--black heart suit = valentine, U+2665 ISOpub -->
>>> + <entity name="diams" cdata="&#9830;"/> <!--black diamond suit, U+2666 ISOpub -->
>>> +
>>> + <entity name="quot" cdata="&#34;" /> <!--quotation mark = APL quote, U+0022 ISOnum -->
>>> + <!-- Latin Extended-A -->
>>> + <entity name="OElig" cdata="&#338;" /> <!--latin capital ligature OE, U+0152 ISOlat2 -->
>>> + <entity name="oelig" cdata="&#339;" /> <!--latin small ligature oe, U+0153 ISOlat2 -->
>>> + <!-- ligature is a misnomer, this is a separate character in some languages -->
>>> + <entity name="Scaron" cdata="&#352;" /> <!--latin capital letter S with caron, U+0160 ISOlat2 -->
>>> + <entity name="scaron" cdata="&#353;" /> <!--latin small letter s with caron, U+0161 ISOlat2 -->
>>> + <entity name="Yuml" cdata="&#376;" /> <!--latin capital letter Y with diaeresis, U+0178 ISOlat2 -->
>>> +
>>> + <!-- Spacing Modifier Letters -->
>>> + <entity name="circ" cdata="&#710;" /> <!--modifier letter circumflex accent, U+02C6 ISOpub -->
>>> + <entity name="tilde" cdata="&#732;" /> <!--small tilde, U+02DC ISOdia -->
>>> +
>>> + <!-- General Punctuation -->
>>> + <entity name="ensp" cdata="&#8194;"/> <!--en space, U +2002 ISOpub -->
>>> + <entity name="emsp" cdata="&#8195;"/> <!--em space, U +2003 ISOpub -->
>>> + <entity name="thinsp" cdata="&#8201;"/> <!--thin space, U+2009 ISOpub -->
>>> + <entity name="zwnj" cdata="&#8204;"/> <!--zero width non-joiner, U+200C NEW RFC 2070 -->
>>> + <entity name="zwj" cdata="&#8205;"/> <!--zero width joiner, U+200D NEW RFC 2070 -->
>>> + <entity name="lrm" cdata="&#8206;"/> <!--left-to-right mark, U+200E NEW RFC 2070 -->
>>> + <entity name="rlm" cdata="&#8207;"/> <!--right-to-left mark, U+200F NEW RFC 2070 -->
>>> + <entity name="ndash" cdata="&#8211;"/> <!--en dash, U +2013 ISOpub -->
>>> + <entity name="mdash" cdata="&#8212;"/> <!--em dash, U +2014 ISOpub -->
>>> + <entity name="lsquo" cdata="&#8216;"/> <!--left single quotation mark, U+2018 ISOnum -->
>>> + <entity name="rsquo" cdata="&#8217;"/> <!--right single quotation mark, U+2019 ISOnum -->
>>> + <entity name="sbquo" cdata="&#8218;"/> <!--single low-9 quotation mark, U+201A NEW -->
>>> + <entity name="ldquo" cdata="&#8220;"/> <!--left double quotation mark, U+201C ISOnum -->
>>> + <entity name="rdquo" cdata="&#8221;"/> <!--right double quotation mark, U+201D ISOnum -->
>>> + <entity name="bdquo" cdata="&#8222;"/> <!--double low-9 quotation mark, U+201E NEW -->
>>> + <entity name="dagger" cdata="&#8224;"/> <!--dagger, U +2020 ISOpub -->
>>> + <entity name="Dagger" cdata="&#8225;"/> <!--double dagger, U+2021 ISOpub -->
>>> + <entity name="permil" cdata="&#8240;"/> <!--per mille sign, U+2030 ISOtech -->
>>> + <entity name="lsaquo" cdata="&#8249;"/> <!--single left-pointing angle quotation mark, U+2039 ISO proposed -->
>>> + <!-- lsaquo is proposed but not yet ISO standardized -->
>>> + <entity name="rsaquo" cdata="&#8250;"/> <!--single right-pointing angle quotation mark, U+203A ISO proposed -->
>>> + <!-- rsaquo is proposed but not yet ISO standardized -->
>>> + <entity name="euro" cdata="&#8364;" /> <!--euro sign, U +20AC NEW -->
>>> + </html-entities>
>>> +</anti-samy-rules>
>>>
>>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>>> ------------------------------------------------------------------------------
>>> svn:eol-style = native
>>>
>>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>>> ------------------------------------------------------------------------------
>>> svn:executable = *
>>>
>>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>>> ------------------------------------------------------------------------------
>>> svn:keywords = "Date Rev Author URL Id"
>>>
>>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>>> ------------------------------------------------------------------------------
>>> svn:mime-type = text/xml
>>>
>>> Added: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar?rev=742352&view=auto
>>> = = = = = = = = = =====================================================================
>>> Binary file - no diff available.
>>>
>>> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>>> ------------------------------------------------------------------------------
>>> svn:executable = *
>>>
>>> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>>> ------------------------------------------------------------------------------
>>> svn:mime-type = application/octet-stream
>>>
>>> Added: ofbiz/trunk/framework/base/lib/nekohtml.jar
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/nekohtml.jar?rev=742352&view=auto
>>> = = = = = = = = = =====================================================================
>>> Binary file - no diff available.
>>>
>>> Propchange: ofbiz/trunk/framework/base/lib/nekohtml.jar
>>> ------------------------------------------------------------------------------
>>> svn:mime-type = application/octet-stream
>>>
>>> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ StringUtil.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ StringUtil.java (original)
>>> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/ StringUtil.java Mon Feb 9 09:34:34 2009
>>> @@ -18,10 +18,6 @@
>>> *******************************************************************************/
>>> package org.ofbiz.base.util;
>>>
>>> -import javolution.util.FastList;
>>> -import javolution.util.FastMap;
>>> -import javolution.util.FastSet;
>>> -
>>> import java.io.UnsupportedEncodingException;
>>> import java.net.URLDecoder;
>>> import java.net.URLEncoder;
>>> @@ -34,15 +30,23 @@
>>> import java.util.regex.Matcher;
>>> import java.util.regex.Pattern;
>>>
>>> +import javolution.util.FastList;
>>> +import javolution.util.FastMap;
>>> +import javolution.util.FastSet;
>>> +
>>> import org.apache.commons.codec.DecoderException;
>>> import org.apache.commons.codec.binary.Hex;
>>> import org.owasp.esapi.Encoder;
>>> +import org.owasp.esapi.ValidationErrorList;
>>> +import org.owasp.esapi.Validator;
>>> import org.owasp.esapi.codecs.CSSCodec;
>>> import org.owasp.esapi.codecs.Codec;
>>> import org.owasp.esapi.codecs.HTMLEntityCodec;
>>> import org.owasp.esapi.codecs.JavaScriptCodec;
>>> import org.owasp.esapi.codecs.PercentCodec;
>>> +import org.owasp.esapi.errors.EncodingException;
>>> import org.owasp.esapi.reference.DefaultEncoder;
>>> +import org.owasp.esapi.reference.DefaultValidator;
>>>
>>> /**
>>> * Misc String Utility Functions
>>> @@ -55,12 +59,12 @@
>>> /** OWASP ESAPI canonicalize strict flag; setting false so we only get warnings about double encoding, etc; can be set to
>>> true for exceptions and more security */
>>> public static final boolean esapiCanonicalizeStrict = false;
>>> public static final Encoder defaultWebEncoder;
>>> - //public static final Validator defaultWebValidator;
>>> + public static final Validator defaultWebValidator;
>>> static {
>>> // possible codecs: CSSCodec, HTMLEntityCodec, JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec,
>>> VBScriptCodec, WindowsCodec
>>> List<Codec> codecList = Arrays.asList(new CSSCodec(), new HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
>>> defaultWebEncoder = new DefaultEncoder(codecList);
>>> - //defaultWebValidator = new DefaultValidator();
>>> + defaultWebValidator = new DefaultValidator();
>>> }
>>>
>>> public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
>>> @@ -82,6 +86,8 @@
>>> }
>>> }
>>>
>>> + // ================== Begin General Functions ==================
>>> +
>>> public static String internString(String value) {
>>> return value != null ? value.intern() : null;
>>> }
>>> @@ -459,6 +465,72 @@
>>> }
>>>
>>> /**
>>> + * Uses a black-list approach for necessary characters for HTML.
>>> + * Does not allow various characters (after canonicalization), including "<", ">", "&" (if not followed by a space), and
>>> "%" (if not followed by a space).
>>> + *
>>> + * @param value
>>> + * @param errorMessageList
>>> + */
>>> + public static String checkStringForHtmlStrictNone(String valueName, String value, List<String> errorMessageList) {
>>> + if (UtilValidate.isEmpty(value)) return value;
>>> +
>>> + // canonicalize, strict (error on double-encoding)
>>> + try {
>>> + value = defaultWebEncoder.canonicalize(value, true);
>>> + } catch (EncodingException e) {
>>> + // NOTE: using different log and user targeted error messages to allow the end-user message to be less technical
>>> + Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for
>>> attribute named [" + valueName + "], String [" + value + "]: " + e.toString(), module);
>>> + errorMessageList.add("In field [" + valueName + "] found character espacing (mixed or double) that is not allowed
>>> or other format consistency error: " + e.toString());
>>> + }
>>> +
>>> + // check for "<", ">"
>>> + if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {
>>> + errorMessageList.add("In field [" + valueName + "] greater-than (>) and less-than (<) symbols are not allowed.");
>>> + }
>>> +
>>> + // check for & not followed by a space (can be used for escaping chars)
>>> + int curAmpIndex = value.indexOf("&");
>>> + while (curAmpIndex >= 0) {
>>> + if (' ' != value.charAt(curAmpIndex + 1)) {
>>> + errorMessageList.add("In field [" + valueName + "] the ampersand (&) symbol is only allowed if followed by a
>>> space.");
>>> + // once we find one like this we have the message so no need to check for more
>>> + break;
>>> + }
>>> + curAmpIndex = value.indexOf("&", curAmpIndex + 1);
>>> + }
>>> +
>>> + // check for % not followed by a space (can be used for escaping chars)
>>> + int curPercIndex = value.indexOf("%");
>>> + while (curPercIndex >= 0) {
>>> + if (' ' != value.charAt(curPercIndex + 1)) {
>>> + errorMessageList.add("In field [" + valueName + "] the percent (%) symbol is only allowed if followed by a
>>> space.");
>>> + // once we find one like this we have the message so no need to check for more
>>> + break;
>>> + }
>>> + curPercIndex = value.indexOf("%", curPercIndex + 1);
>>> + }
>>> +
>>> + // TODO: anything else to check for that can be used to get HTML or JavaScript going without these characters?
>>> +
>>> + return value;
>>> + }
>>> +
>>> + /**
>>> + * Uses a white-list approach to check for safe HTML.
>>> + * Based on the ESAPI validator configured in the antisamy- esapi.xml file.
>>> + *
>>> + * @param value
>>> + * @param errorMessageList
>>> + * @return String with updated value if needed for safer HTML.
>>> + */
>>> + public static String checkStringForHtmlSafeOnly(String valueName, String value, List<String> errorMessageList) {
>>> + ValidationErrorList vel = new ValidationErrorList();
>>> + value = defaultWebValidator.getValidSafeHTML(valueName, value, Integer.MAX_VALUE, true, vel);
>>> + errorMessageList.addAll(vel.errors());
>>> + return value;
>>> + }
>>> +
>>> + /**
>>> * Translates various HTML characters in a string so that the string can be displayed in a browser safely
>>> * <p>
>>> * This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or
>>> @@ -473,6 +545,8 @@
>>> * <li>'>' (greater than) becomes '>'
>>> * <li>\n (Carriage Return) becomes '<br>gt;'
>>> * </ol>
>>> + *
>>> + * @deprecated Use StringUtil.htmlEncoder instead.
>>> */
>>> public static String htmlSpecialChars(String html, boolean doubleQuotes, boolean singleQuotes, boolean insertBR) {
>>> html = StringUtil.replaceString(html, "&", "&");
>>>
>>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd
>>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original)
>>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Feb 9 09:34:34 2009
>>> @@ -268,6 +268,16 @@
>>> </xs:restriction>
>>> </xs:simpleType>
>>> </xs:attribute>
>>> + <xs:attribute name="allow-html" use="optional" default="none">
>>> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element.</
>>> xs:documentation></xs:annotation>
>>> + <xs:simpleType>
>>> + <xs:restriction base="xs:token">
>>> + <xs:enumeration value="any"/>
>>> + <xs:enumeration value="safe"/>
>>> + <xs:enumeration value="none"/>
>>> + </xs:restriction>
>>> + </xs:simpleType>
>>> + </xs:attribute>
>>> </xs:attributeGroup>
>>> <xs:element name="exclude">
>>> <xs:complexType>
>>> @@ -321,6 +331,22 @@
>>> </xs:restriction>
>>> </xs:simpleType>
>>> </xs:attribute>
>>> + <xs:attribute name="allow-html" use="optional" default="none">
>>> + <xs:annotation><xs:documentation>
>>> + Applies only to String fields.
>>> + Only checked for incoming parameters/attributes (could change in the future, but this is meant for validating
>>> input from users, other systems, etc).
>>> + Defualts to "none" meaning no HTML is allowed (will result in an error message).
>>> + If some HTML is desired then use "safe" which will follow the rules in the antisamy-esapi.xml file. This
>>> should be safe for both internal and public users.
>>> + In rare cases when users are trusted or it is not a sensitive field the "any" option may be used to not check
>>> the HTML content at all.
>>> + </xs:documentation></xs:annotation>
>>> + <xs:simpleType>
>>> + <xs:restriction base="xs:token">
>>> + <xs:enumeration value="any"/>
>>> + <xs:enumeration value="safe"/>
>>> + <xs:enumeration value="none"/>
>>> + </xs:restriction>
>>> + </xs:simpleType>
>>> + </xs:attribute>
>>> </xs:attributeGroup>
>>> <xs:element name="override">
>>> <xs:complexType>
>>> @@ -362,6 +388,16 @@
>>> </xs:restriction>
>>> </xs:simpleType>
>>> </xs:attribute>
>>> + <xs:attribute name="allow-html" use="optional">
>>> + <xs:annotation><xs:documentation>See the documentation on the allow-html attribute of the "attribute" element.
>>> Note that it is slightly different here as there is no defualt.</ xs:documentation></xs:annotation>
>>> + <xs:simpleType>
>>> + <xs:restriction base="xs:token">
>>> + <xs:enumeration value="any"/>
>>> + <xs:enumeration value="safe"/>
>>> + <xs:enumeration value="none"/>
>>> + </xs:restriction>
>>> + </xs:simpleType>
>>> + </xs:attribute>
>>> </xs:attributeGroup>
>>> <xs:element name="type-validate">
>>> <xs:complexType>
>>>
>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ GenericDispatcher.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ GenericDispatcher.java (original)
>>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ GenericDispatcher.java Mon Feb 9 09:34:34 2009
>>> @@ -22,9 +22,8 @@
>>>
>>> import javolution.util.FastMap;
>>>
>>> -import org.ofbiz.entity.GenericDelegator;
>>> -import org.ofbiz.entity.GenericEntityException;
>>> import org.ofbiz.base.util.Debug;
>>> +import org.ofbiz.entity.GenericDelegator;
>>>
>>> /**
>>> * Generic Services Local Dispatcher
>>> @@ -130,15 +129,15 @@
>>> }
>>>
>>> public void disableEcas(){
>>> - this.ecasDisabled = true;
>>> + ecasDisabled = true;
>>> }
>>>
>>> public void enableEcas() {
>>> - this.ecasDisabled = false;
>>> + ecasDisabled = false;
>>> }
>>>
>>> public boolean isEcasDisabled() {
>>> - return this.ecasDisabled;
>>> + return ecasDisabled;
>>> }
>>>
>>> /**
>>>
>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelParam.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelParam.java (original)
>>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelParam.java Mon Feb 9 09:34:34 2009
>>> @@ -35,6 +35,7 @@
>>> /**
>>> * Generic Service Model Parameter
>>> */
>>> +@SuppressWarnings("serial")
>>> public class ModelParam implements Serializable {
>>>
>>> public static final String module = ModelParam.class.getName();
>>> @@ -77,6 +78,9 @@
>>> public boolean formDisplay = true;
>>> public boolean overrideFormDisplay = false;
>>>
>>> + /** Default value */
>>> + public String allowHtml = null;
>>> +
>>> /** Is this Parameter set internally? */
>>> public boolean internal = false;
>>>
>>> @@ -97,6 +101,7 @@
>>> this.overrideOptional = param.overrideOptional;
>>> this.formDisplay = param.formDisplay;
>>> this.overrideFormDisplay = param.overrideFormDisplay;
>>> + this.allowHtml = param.allowHtml;
>>> this.internal = param.internal;
>>> }
>>>
>>> @@ -190,6 +195,7 @@
>>> buf.append(overrideOptional).append("::");
>>> buf.append(formDisplay).append("::");
>>> buf.append(overrideFormDisplay).append("::");
>>> + buf.append(allowHtml).append("::");
>>> buf.append(defaultValue).append("::");
>>> buf.append(internal);
>>> if (validators != null)
>>>
>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelService.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelService.java (original)
>>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelService.java Mon Feb 9 09:34:34 2009
>>> @@ -58,7 +58,7 @@
>>> import org.ofbiz.base.util.Debug;
>>> import org.ofbiz.base.util.GeneralException;
>>> import org.ofbiz.base.util.ObjectType;
>>> -import org.ofbiz.base.util.UtilDateTime;
>>> +import org.ofbiz.base.util.StringUtil;
>>> import org.ofbiz.base.util.UtilMisc;
>>> import org.ofbiz.base.util.UtilProperties;
>>> import org.ofbiz.base.util.UtilValidate;
>>> @@ -75,6 +75,7 @@
>>> /**
>>> * Generic Service Model Class
>>> */
>>> +@SuppressWarnings("serial")
>>> public class ModelService extends AbstractMap<String, Object> implements Serializable {
>>> private static final Field[] MODEL_SERVICE_FIELDS;
>>> private static final Map<String, Field> MODEL_SERVICE_FIELD_MAP = FastMap.newInstance();
>>> @@ -459,16 +460,16 @@
>>> * @param test The Map object to test
>>> * @param mode Test either mode IN or mode OUT
>>> */
>>> - public void validate(Map<String, ? extends Object> test, String mode, Locale locale) throws ServiceValidationException {
>>> + public void validate(Map<String, Object> context, String mode, Locale locale) throws ServiceValidationException {
>>> Map<String, String> requiredInfo = FastMap.newInstance();
>>> Map<String, String> optionalInfo = FastMap.newInstance();
>>> boolean verboseOn = Debug.verboseOn();
>>>
>>> - if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + test,
>>> module);
>>> + if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : Validating context - " + context,
>>> module);
>>>
>>> // do not validate results with errors
>>> - if (mode.equals(OUT_PARAM) && test != null && test.containsKey(RESPONSE_MESSAGE)) {
>>> - if (RESPOND_ERROR.equals(test.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(test.get(RESPONSE_MESSAGE))) {
>>> + if (mode.equals(OUT_PARAM) && context != null && context.containsKey(RESPONSE_MESSAGE)) {
>>> + if (RESPOND_ERROR.equals(context.get(RESPONSE_MESSAGE)) || RESPOND_FAIL.equals(context.get(RESPONSE_MESSAGE))) {
>>> if (verboseOn) Debug.logVerbose("[ModelService.validate] : {" + this.name + "} : response was an error, not
>>> validating.", module);
>>> return;
>>> }
>>> @@ -490,8 +491,8 @@
>>> Map<String, Object> requiredTest = FastMap.newInstance();
>>> Map<String, Object> optionalTest = FastMap.newInstance();
>>>
>>> - if (test == null) test = FastMap.newInstance();
>>> - requiredTest.putAll(test);
>>> + if (context == null) context = FastMap.newInstance();
>>> + requiredTest.putAll(context);
>>>
>>> List<String> requiredButNull = FastList.newInstance();
>>> List<String> keyList = FastList.newInstance();
>>> @@ -545,6 +546,30 @@
>>> Debug.logError("[ModelService.validate] : {" + name + "} : (" + mode + ") Required test error: " + e.toString(),
>>> module);
>>> throw e;
>>> }
>>> +
>>> + // required and type validation complete, do allow-html validation
>>> + if ("IN".equals(mode)) {
>>> + List<String> errorMessageList = FastList.newInstance();
>>> + for (ModelParam modelParam: this.contextInfo.values()) {
>>> + if (context.get(modelParam.name) != null &&
>>> + ("String".equals(modelParam.type) || "java.lang.String".equals(modelParam.type)) &&
>>> + !"any".equals(modelParam.allowHtml) &&
>>> + ("INOUT".equals(modelParam.mode) || "IN".equals(modelParam.mode))) {
>>> + // the param is a String, allow-html is none or safe, and we are looking at an IN parameter during input
>>> parameter validation
>>> + String value = (String) context.get(modelParam.name);
>>> + if ("none".equals(modelParam.allowHtml)) {
>>> + value = StringUtil.checkStringForHtmlStrictNone(modelParam.name, value, errorMessageList);
>>> + context.put(modelParam.name, value);
>>> + } else if ("safe".equals(modelParam.allowHtml)) {
>>> + value = StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, errorMessageList);
>>> + context.put(modelParam.name, value);
>>> + }
>>> + }
>>> + }
>>> + if (errorMessageList.size() > 0) {
>>> + throw new ServiceValidationException(errorMessageList, this, mode);
>>> + }
>>> + }
>>> }
>>>
>>> /**
>>>
>>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelServiceReader.java
>>> URL:
>>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?rev=742352&r1=742351&r2=742352&view=diff
>>> = = = = = = = = = =====================================================================
>>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelServiceReader.java (original)
>>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/ ModelServiceReader.java Mon Feb 9 09:34:34 2009
>>> @@ -56,7 +56,7 @@
>>> /**
>>> * Generic Service - Service Definition Reader
>>> */
>>> -
>>> +@SuppressWarnings("serial")
>>> public class ModelServiceReader implements Serializable {
>>>
>>> public static final String module = ModelServiceReader.class.getName();
>>> @@ -510,6 +510,7 @@
>>> param.mode = UtilXml.checkEmpty(autoElement.getAttribute("mode")).intern();
>>> param.optional = "true".equalsIgnoreCase(autoElement.getAttribute("optional")); // default to true
>>> param.formDisplay = !"false".equalsIgnoreCase(autoElement.getAttribute("form- display")); // default
>>> to false
>>> + param.allowHtml = UtilXml.checkEmpty(autoElement.getAttribute("allow-html"), "none").intern(); //
>>> default to none
>>> modelParamMap.put(field.getName(), param);
>>> }
>>> }
>>> @@ -532,7 +533,7 @@
>>> Debug.logError(e, "Problem loading auto-attributes [" + entityName + "] for " + service.name, module);
>>> } catch (GeneralException e) {
>>> Debug.logError(e, "Cannot load auto-attributes : " + e.getMessage() + " for " + service.name, module);
>>> - }
>>> + }
>>> }
>>> }
>>>
>>> @@ -551,6 +552,7 @@
>>> param.formLabel = attribute.hasAttribute("form-label")? attribute.getAttribute("form-label").intern():null;
>>> param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true
>>> param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form- display")); // default to false
>>> + param.allowHtml = UtilXml.checkEmpty(attribute.getAttribute("allow-html"), "none").intern(); // default to none
>>>
>>> // default value
>>> String defValue = attribute.getAttribute("default-value");
>>> @@ -644,8 +646,8 @@
>>> }
>>>
>>> protected void createOverrideDefs(Element baseElement, ModelService service) {
>>> - for (Element attribute: UtilXml.childElementList(baseElement, "override")) {
>>> - String name = UtilXml.checkEmpty(attribute.getAttribute("name"));
>>> + for (Element overrideElement: UtilXml.childElementList(baseElement, "override")) {
>>> + String name = UtilXml.checkEmpty(overrideElement.getAttribute("name"));
>>> ModelParam param = service.getParam(name);
>>> boolean directToParams = true;
>>> if (param == null) {
>>> @@ -662,38 +664,42 @@
>>>
>>> if (param != null) {
>>> // set only modified values
>>> - if (attribute.getAttribute("type") != null && attribute.getAttribute("type").length() > 0) {
>>> - param.type = UtilXml.checkEmpty(attribute.getAttribute("type")).intern();
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("type"))) {
>>> + param.type = UtilXml.checkEmpty(overrideElement.getAttribute("type")).intern();
>>> }
>>> - if (attribute.getAttribute("mode") != null && attribute.getAttribute("mode").length() > 0) {
>>> - param.mode = UtilXml.checkEmpty(attribute.getAttribute("mode")).intern();
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("mode"))) {
>>> + param.mode = UtilXml.checkEmpty(overrideElement.getAttribute("mode")).intern();
>>> }
>>> - if (attribute.getAttribute("entity-name") != null && attribute.getAttribute("entity-name").length() > 0) {
>>> - param.entityName = UtilXml.checkEmpty(attribute.getAttribute("entity-name")).intern();
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("entity- name"))) {
>>> + param.entityName = UtilXml.checkEmpty(overrideElement.getAttribute("entity- name")).intern();
>>> }
>>> - if (attribute.getAttribute("field-name") != null && attribute.getAttribute("field-name").length() > 0) {
>>> - param.fieldName = UtilXml.checkEmpty(attribute.getAttribute("field-name")).intern();
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("field- name"))) {
>>> + param.fieldName = UtilXml.checkEmpty(overrideElement.getAttribute("field- name")).intern();
>>> }
>>> - if (attribute.getAttribute("form-label") != null && attribute.getAttribute("form-label").length() > 0) {
>>> - param.formLabel = UtilXml.checkEmpty(attribute.getAttribute("form-label")).intern();
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form- label"))) {
>>> + param.formLabel = UtilXml.checkEmpty(overrideElement.getAttribute("form- label")).intern();
>>> }
>>> - if (attribute.getAttribute("optional") != null && attribute.getAttribute("optional").length() > 0) {
>>> - param.optional = "true".equalsIgnoreCase(attribute.getAttribute("optional")); // default to true
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("optional"))) {
>>> + param.optional = "true ".equalsIgnoreCase(overrideElement.getAttribute("optional")); // default to true
>>> param.overrideOptional = true;
>>> }
>>> - if (attribute.getAttribute("form-display") != null && attribute.getAttribute("form-display").length() > 0) {
>>> - param.formDisplay = !"false".equalsIgnoreCase(attribute.getAttribute("form- display")); // default to
>>> false
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("form- display"))) {
>>> + param.formDisplay = !"false".equalsIgnoreCase(overrideElement.getAttribute("form- display")); // default
>>> to false
>>> param.overrideFormDisplay = true;
>>> }
>>>
>>> + if (UtilValidate.isNotEmpty(overrideElement.getAttribute("allow- html"))) {
>>> + param.allowHtml = UtilXml.checkEmpty(overrideElement.getAttribute("allow- html")).intern();
>>> + }
>>> +
>>> // default value
>>> - String defValue = attribute.getAttribute("default- value");
>>> + String defValue = overrideElement.getAttribute("default-value");
>>> if (UtilValidate.isNotEmpty(defValue)) {
>>> param.setDefaultValue(defValue);
>>> }
>>>
>>> // override validators
>>> - this.addValidators(attribute, param);
>>> + this.addValidators(overrideElement, param);
>>>
>>> if (directToParams) {
>>> service.addParam(param);
>>>
>>
>>
>
Re: svn commit: r742352 - in /ofbiz/trunk/framework: base/config/ base/lib/ base/src/org/ofbiz/base/util/ service/dtd/ service/src/org/ofbiz/service/
Posted by David E Jones <da...@hotwaxmedia.com>.
Jacques,
Could you be more specific? I apologize, I'd like to comment but I
actually have no idea what you are talking about...
Is there an example somewhere of what is not working the way you would
like it to?
The old issue items would be really helpful here:
1. what did you do (steps to reproduce)
2. what did you expect to happen
3. what actually happened
Thanks,
-David
On Feb 10, 2009, at 3:36 AM, Jacques Le Roux wrote:
> Hi David,
>
> I don't know if it's intentionnal or not : before error messages
> could contains HTML tags (<ul> <li> was used for instance for
> "layout").
> So in https://issues.apache.org/jira/browse/OFBIZ-2171?focusedCommentId=12671952
> #action_12671952 I did not used the old behaviour with these HTML
> tags (which I think have not been well migrated from
> DefaultMessages.properties).
> This because we agreed to not use anymore HTML tags in labels, and
> especially because it was not working anymore.
> I wonder know if we should not keep this mechanims specifically for
> error messages. Because in case there are several error messages
> they would be better displayed using the old mechanism
>
> What do yout think ?
>
> Jacques
>
> From: <jo...@apache.org>
>> Author: jonesde
>> Date: Mon Feb 9 09:34:34 2009
>> New Revision: 742352
>>
>> URL: http://svn.apache.org/viewvc?rev=742352&view=rev
>> Log:
>> Added new allow-html tag on the attribute, auto-attribute, and
>> override elements; has 3 options: none, safe, and any; the comments
>> in the XSD file describe what each of these do; the important thing
>> to know is that none is the default meaning no html is allowed; if
>> html is needed use safe and look at the antisamy-esapi.xml file to
>> see policy details; in extreme trust cases use any where any html
>> is allowed; note that many services need updating which should
>> allow at least safe html, and it may take some time to discover all
>> of those and get them handled; please send in issues and requests
>> for service attributes that should allow safe html
>>
>> Added:
>> ofbiz/trunk/framework/base/config/antisamy-esapi.xml (with props)
>> ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar (with props)
>> ofbiz/trunk/framework/base/lib/nekohtml.jar (with props)
>> Modified:
>> ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java
>> ofbiz/trunk/framework/service/dtd/services.xsd
>> ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> GenericDispatcher.java
>> ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java
>> ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelService.java
>> ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelServiceReader.java
>>
>> Added: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/config/antisamy-esapi.xml?rev=742352&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/base/config/antisamy-esapi.xml (added)
>> +++ ofbiz/trunk/framework/base/config/antisamy-esapi.xml Mon Feb 9
>> 09:34:34 2009
>> @@ -0,0 +1,479 @@
>> +<?xml version="1.0" encoding="ISO-8859-1"?>
>> +<!-- +Based on the default ESAPI.properties file, which is BSD
>> licensed.
>> +
>> +Licensed to the Apache Software Foundation (ASF) under one
>> +or more contributor license agreements. See the NOTICE file
>> +distributed with this work for additional information
>> +regarding copyright ownership. The ASF licenses this file
>> +to you under the Apache License, Version 2.0 (the
>> +"License"); you may not use this file except in compliance
>> +with the License. You may obtain a copy of the License at
>> +
>> +http://www.apache.org/licenses/LICENSE-2.0
>> +
>> +Unless required by applicable law or agreed to in writing,
>> +software distributed under the License is distributed on an
>> +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> +KIND, either express or implied. See the License for the
>> +specific language governing permissions and limitations
>> +under the License.
>> +-->
>> +
>> +<!-- +W3C rules retrieved from:
>> +http://www.w3.org/TR/html401/struct/global.html
>> +-->
>> +
>> +<!--
>> +Slashdot allowed tags taken from "Reply" page:
>> +<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong>
>> <tt> <blockquote> <div> <ecode> <quote>
>> +-->
>> +
>> +<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>> " xsi:noNamespaceSchemaLocation="antisamy.xsd">
>> + <directives>
>> + <directive name="omitXmlDeclaration" value="true"/>
>> + <directive name="omitDoctypeDeclaration" value="true"/>
>> + <directive name="maxInputSize" value="5000"/>
>> + <directive name="embedStyleSheets" value="false"/>
>> + </directives>
>> + <common-regexps>
>> + <!-- + From W3C:
>> + This attribute assigns a class name or set of class names
>> to an
>> + element. Any number of elements may be assigned the same
>> class
>> + name or names. Multiple class names must be separated by
>> white
>> + space characters.
>> + -->
>> +
>> + <regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\
>> \(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*'
>> -->
>> + <regexp name="onsiteURL" value="([\w\\/\.\?=&;\#-~]+|
>> \#(\w)+)"/>
>> + <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)
>> [A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
>> + </common-regexps>
>> +
>> + <!-- +
>> + Tag.name = a, b, div, body, etc.
>> + Tag.action = filter: remove tags, but keep content, validate:
>> keep content as long as it passes rules, remove: remove tag and
>> contents
>> + Attribute.name = id, class, href, align, width, etc.
>> + Attribute.onInvalid = what to do when the attribute is
>> invalid, e.g., remove the tag (removeTag), remove the attribute
>> (removeAttribute), filter the tag (filterTag)
>> + Attribute.description = What rules in English you want to tell
>> the users they can have for this attribute. Include helpful things
>> so they'll be able to tune their HTML
>> +
>> + -->
>> +
>> + <!-- + Some attributes are common to all (or most) HTML
>> tags. There aren't many that qualify for this. You have to make
>> sure there's no
>> + collisions between any of these attribute names with attribute
>> names of other tags that are for different purposes.
>> + -->
>> + <common-attributes>
>> + <attribute name="lang" description="The 'lang' attribute
>> tells the browser what language the element's attribute values and
>> content are written in">
>> + <regexp-list>
>> + <regexp value="[a-zA-Z]{2,20}"/>
>> + </regexp-list>
>> + </attribute>
>> + <attribute name="title" description="The 'title'
>> attribute provides text that shows up in a 'tooltip' when a user
>> hovers their mouse over the element">
>> + <regexp-list>
>> + <regexp name="htmlTitle"/>
>> + </regexp-list>
>> + </attribute>
>> + <attribute name="href" onInvalid="filterTag">
>> + <regexp-list>
>> + <regexp name="onsiteURL"/>
>> + <regexp name="offsiteURL"/>
>> + </regexp-list>
>> + </attribute>
>> + <attribute name="align" description="The 'align' attribute
>> of an HTML element is a direction word, like 'left', 'right' or
>> 'center'">
>> + <literal-list>
>> + <literal value="center"/>
>> + <literal value="left"/>
>> + <literal value="right"/>
>> + <literal value="justify"/>
>> + <literal value="char"/>
>> + </literal-list>
>> + </attribute>
>> + </common-attributes>
>> +
>> + <!--
>> + This requires normal updates as browsers continue to diverge
>> from the W3C and each other. As long as the browser wars continue
>> + this is going to continue. I'm not sure war is the right word
>> for what's going on. Doesn't somebody have to win a war after
>> + a while?
>> + -->
>> + <global-tag-attributes>
>> + <attribute name="title"/>
>> + <attribute name="lang"/>
>> + </global-tag-attributes>
>> + <tag-rules>
>> + <!-- Tags related to JavaScript -->
>> + <tag name="script" action="remove"/>
>> + <tag name="noscript" action="remove"/>
>> +
>> + <!-- Frame & related tags -->
>> + <tag name="iframe" action="remove"/>
>> + <tag name="frameset" action="remove"/>
>> + <tag name="frame" action="remove"/>
>> + <tag name="noframes" action="remove"/>
>> +
>> + <!-- All reasonable formatting tags -->
>> + <tag name="p" action="validate">
>> + <attribute name="align"/>
>> + </tag>
>> +
>> + <tag name="div" action="validate"/>
>> + <tag name="i" action="validate"/>
>> + <tag name="b" action="validate"/>
>> + <tag name="em" action="validate"/>
>> + <tag name="blockquote" action="validate"/>
>> + <tag name="tt" action="validate"/>
>> +
>> + <tag name="br" action="truncate"/>
>> +
>> + <!-- Custom Slashdot tags, though we're trimming the idea
>> of having a possible mismatching end tag with the endtag=""
>> attribute -->
>> + <tag name="quote" action="validate"/>
>> + <tag name="ecode" action="validate"/>
>> +
>> + <!-- Anchor and anchor related tags -->
>> + <tag name="a" action="validate">
>> + <attribute name="href" onInvalid="filterTag"/>
>> + <attribute name="nohref">
>> + <literal-list>
>> + <literal value="nohref"/>
>> + <literal value=""/>
>> + </literal-list>
>> + </attribute>
>> + <attribute name="rel">
>> + <literal-list>
>> + <literal value="nofollow"/>
>> + </literal-list>
>> + </attribute>
>> + </tag>
>> +
>> + <!-- List tags -->
>> + <tag name="ul" action="validate"/>
>> + <tag name="ol" action="validate"/>
>> + <tag name="li" action="validate"/>
>> + </tag-rules>
>> +
>> + <!-- No CSS on Slashdot posts -->
>> + <css-rules>
>> + </css-rules>
>> +
>> + <html-entities>
>> + <entity name="amp" cdata="&"/>
>> + <entity name="nbsp" cdata="&#160;"/>
>> +
>> + <entity name="iexcl" cdata="&#161;"/> <!--inverted
>> exclamation mark, U+00A1 ISOnum -->
>> + <entity name="cent" cdata="&#162;"/> <!--cent sign, U
>> +00A2 ISOnum -->
>> + <entity name="pound" cdata="&#163;"/> <!--pound sign, U
>> +00A3 ISOnum -->
>> + <entity name="curren" cdata="&#164;"/> <!--currency
>> sign, U+00A4 ISOnum -->
>> + <entity name="yen" cdata="&#165;"/> <!--yen sign =
>> yuan sign, U+00A5 ISOnum -->
>> + <entity name="brvbar" cdata="&#166;"/> <!--broken bar
>> = broken vertical bar, U+00A6 ISOnum -->
>> + <entity name="sect" cdata="&#167;"/> <!--section sign,
>> U+00A7 ISOnum -->
>> + <entity name="uml" cdata="&#168;"/> <!--diaeresis =
>> spacing diaeresis, U+00A8 ISOdia -->
>> + <entity name="copy" cdata="&#169;"/> <!--copyright
>> sign, U+00A9 ISOnum -->
>> + <entity name="ordf" cdata="&#170;"/> <!--feminine
>> ordinal indicator, U+00AA ISOnum -->
>> + <entity name="laquo" cdata="&#171;"/> <!--left-
>> pointing double angle quotation mark = left pointing guillemet, U
>> +00AB ISOnum -->
>> + <entity name="not" cdata="&#172;"/> <!--not sign, U
>> +00AC ISOnum -->
>> + <entity name="shy" cdata="&#173;"/> <!--soft hyphen =
>> discretionary hyphen,U+00AD ISOnum -->
>> + <entity name="reg" cdata="&#174;"/> <!--registered
>> sign = registered trade mark sign, U+00AE ISOnum -->
>> + <entity name="macr" cdata="&#175;"/> <!--macron =
>> spacing macron = overline = APL overbar, U+00AF ISOdia -->
>> + <entity name="deg" cdata="&#176;"/> <!--degree sign, U
>> +00B0 ISOnum -->
>> + <entity name="plusmn" cdata="&#177;"/> <!--plus-minus
>> sign = plus-or-minus sign, U+00B1 ISOnum -->
>> + <entity name="sup2" cdata="&#178;"/> <!--superscript
>> two = superscript digit two = squared, U+00B2 ISOnum -->
>> + <entity name="sup3" cdata="&#179;"/> <!--superscript
>> three = superscript digit three= cubed, U+00B3 ISOnum -->
>> + <entity name="acute" cdata="&#180;"/> <!--acute accent
>> = spacing acute, U+00B4 ISOdia -->
>> + <entity name="micro" cdata="&#181;"/> <!--micro sign, U
>> +00B5 ISOnum -->
>> + <entity name="para" cdata="&#182;"/> <!--pilcrow sign
>> = paragraph sign, U+00B6 ISOnum -->
>> + <entity name="middot" cdata="&#183;"/> <!--middle dot
>> = Georgian comma = Greek middle dot, U+00B7 ISOnum -->
>> + <entity name="cedil" cdata="&#184;"/> <!--cedilla =
>> spacing cedilla, U+00B8 ISOdia -->
>> + <entity name="sup1" cdata="&#185;"/> <!--superscript
>> one = superscript digit one,U+00B9 ISOnum -->
>> + <entity name="ordm" cdata="&#186;"/> <!--masculine
>> ordinal indicator, U+00BA ISOnum -->
>> + <entity name="raquo" cdata="&#187;"/> <!--right-
>> pointing double angle quotation mark = right pointing guillemet, U
>> +00BB ISOnum -->
>> + <entity name="frac14" cdata="&#188;"/> <!--vulgar
>> fraction one quarter = fraction one quarter, U+00BC ISOnum -->
>> + <entity name="frac12" cdata="&#189;"/> <!--vulgar
>> fraction one half = fraction one half, U+00BD ISOnum -->
>> + <entity name="frac34" cdata="&#190;"/> <!--vulgar
>> fraction three quarters = fraction three quarters, U+00BE ISOnum -->
>> + <entity name="iquest" cdata="&#191;"/> <!--inverted
>> question mark = turned question mark, U+00BF ISOnum -->
>> + <entity name="Agrave" cdata="&#192;"/> <!--latin
>> capital letter A with grave = latin capital letter A grave,U+00C0
>> ISOlat1 -->
>> + <entity name="Aacute" cdata="&#193;"/> <!--latin
>> capital letter A with acute,U+00C1 ISOlat1 -->
>> + <entity name="Acirc" cdata="&#194;"/> <!--latin
>> capital letter A with circumflex,U+00C2 ISOlat1 -->
>> + <entity name="Atilde" cdata="&#195;"/> <!--latin
>> capital letter A with tilde,U+00C3 ISOlat1 -->
>> + <entity name="Auml" cdata="&#196;"/> <!--latin capital
>> letter A with diaeresis,U+00C4 ISOlat1 -->
>> + <entity name="Aring" cdata="&#197;"/> <!--latin
>> capital letter A with ring above = latin capital letter A ring, U
>> +00C5 ISOlat1 -->
>> + <entity name="AElig" cdata="&#198;"/> <!--latin
>> capital letter AE = latin capital ligature AE, U+00C6 ISOlat1 -->
>> + <entity name="Ccedil" cdata="&#199;"/> <!--latin
>> capital letter C with cedilla, U+00C7 ISOlat1 -->
>> + <entity name="Egrave" cdata="&#200;"/> <!--latin
>> capital letter E with grave, U+00C8 ISOlat1 -->
>> + <entity name="Eacute" cdata="&#201;"/> <!--latin
>> capital letter E with acute,U+00C9 ISOlat1 -->
>> + <entity name="Ecirc" cdata="&#202;"/> <!--latin
>> capital letter E with circumflex,U+00CA ISOlat1 -->
>> + <entity name="Euml" cdata="&#203;"/> <!--latin capital
>> letter E with diaeresis, U+00CB ISOlat1 -->
>> + <entity name="Igrave" cdata="&#204;"/> <!--latin
>> capital letter I with grave, U+00CC ISOlat1 -->
>> + <entity name="Iacute" cdata="&#205;"/> <!--latin
>> capital letter I with acute, U+00CD ISOlat1 -->
>> + <entity name="Icirc" cdata="&#206;"/> <!--latin
>> capital letter I with circumflex, U+00CE ISOlat1 -->
>> + <entity name="Iuml" cdata="&#207;"/> <!--latin capital
>> letter I with diaeresis, U+00CF ISOlat1 -->
>> + <entity name="ETH" cdata="&#208;"/> <!--latin capital
>> letter ETH, U+00D0 ISOlat1 -->
>> + <entity name="Ntilde" cdata="&#209;"/> <!--latin
>> capital letter N with tilde, U+00D1 ISOlat1 -->
>> + <entity name="Ograve" cdata="&#210;"/> <!--latin
>> capital letter O with grave, U+00D2 ISOlat1 -->
>> + <entity name="Oacute" cdata="&#211;"/> <!--latin
>> capital letter O with acute, U+00D3 ISOlat1 -->
>> + <entity name="Ocirc" cdata="&#212;"/> <!--latin
>> capital letter O with circumflex, U+00D4 ISOlat1 -->
>> + <entity name="Otilde" cdata="&#213;"/> <!--latin
>> capital letter O with tilde, U+00D5 ISOlat1 -->
>> + <entity name="Ouml" cdata="&#214;"/> <!--latin capital
>> letter O with diaeresis, U+00D6 ISOlat1 -->
>> + <entity name="times" cdata="&#215;"/> <!--
>> multiplication sign, U+00D7 ISOnum -->
>> + <entity name="Oslash" cdata="&#216;"/> <!--latin
>> capital letter O with stroke = latin capital letter O slash, U+00D8
>> ISOlat1 -->
>> + <entity name="Ugrave" cdata="&#217;"/> <!--latin
>> capital letter U with grave, U+00D9 ISOlat1 -->
>> + <entity name="Uacute" cdata="&#218;"/> <!--latin
>> capital letter U with acute, U+00DA ISOlat1 -->
>> + <entity name="Ucirc" cdata="&#219;"/> <!--latin
>> capital letter U with circumflex, U+00DB ISOlat1 -->
>> + <entity name="Uuml" cdata="&#220;"/> <!--latin capital
>> letter U with diaeresis, U+00DC ISOlat1 -->
>> + <entity name="Yacute" cdata="&#221;"/> <!--latin
>> capital letter Y with acute, U+00DD ISOlat1 -->
>> + <entity name="THORN" cdata="&#222;"/> <!--latin
>> capital letter THORN, U+00DE ISOlat1 -->
>> + <entity name="szlig" cdata="&#223;"/> <!--latin small
>> letter sharp s = ess-zed, U+00DF ISOlat1 -->
>> + <entity name="agrave" cdata="&#224;"/> <!--latin small
>> letter a with grave = latin small letter a grave, U+00E0 ISOlat1 -->
>> + <entity name="aacute" cdata="&#225;"/> <!--latin small
>> letter a with acute, U+00E1 ISOlat1 -->
>> + <entity name="acirc" cdata="&#226;"/> <!--latin small
>> letter a with circumflex, U+00E2 ISOlat1 -->
>> + <entity name="atilde" cdata="&#227;"/> <!--latin small
>> letter a with tilde, U+00E3 ISOlat1 -->
>> + <entity name="auml" cdata="&#228;"/> <!--latin small
>> letter a with diaeresis, U+00E4 ISOlat1 -->
>> + <entity name="aring" cdata="&#229;"/> <!--latin small
>> letter a with ring above = latin small letter a ring, U+00E5
>> ISOlat1 -->
>> + <entity name="aelig" cdata="&#230;"/> <!--latin small
>> letter ae = latin small ligature ae, U+00E6 ISOlat1 -->
>> + <entity name="ccedil" cdata="&#231;"/> <!--latin small
>> letter c with cedilla, U+00E7 ISOlat1 -->
>> + <entity name="egrave" cdata="&#232;"/> <!--latin small
>> letter e with grave, U+00E8 ISOlat1 -->
>> + <entity name="eacute" cdata="&#233;"/> <!--latin small
>> letter e with acute, U+00E9 ISOlat1 -->
>> + <entity name="ecirc" cdata="&#234;"/> <!--latin small
>> letter e with circumflex, U+00EA ISOlat1 -->
>> + <entity name="euml" cdata="&#235;"/> <!--latin small
>> letter e with diaeresis, U+00EB ISOlat1 -->
>> + <entity name="igrave" cdata="&#236;"/> <!--latin small
>> letter i with grave, U+00EC ISOlat1 -->
>> + <entity name="iacute" cdata="&#237;"/> <!--latin small
>> letter i with acute, U+00ED ISOlat1 -->
>> + <entity name="icirc" cdata="&#238;"/> <!--latin small
>> letter i with circumflex, U+00EE ISOlat1 -->
>> + <entity name="iuml" cdata="&#239;"/> <!--latin small
>> letter i with diaeresis, U+00EF ISOlat1 -->
>> + <entity name="eth" cdata="&#240;"/> <!--latin small
>> letter eth, U+00F0 ISOlat1 -->
>> + <entity name="ntilde" cdata="&#241;"/> <!--latin small
>> letter n with tilde, U+00F1 ISOlat1 -->
>> + <entity name="ograve" cdata="&#242;"/> <!--latin small
>> letter o with grave, U+00F2 ISOlat1 -->
>> + <entity name="oacute" cdata="&#243;"/> <!--latin small
>> letter o with acute, U+00F3 ISOlat1 -->
>> + <entity name="ocirc " cdata="&#244;"/> <!--latin small
>> letter o with circumflex, U+00F4 ISOlat1 -->
>> + <entity name="otilde" cdata="&#245;"/> <!--latin small
>> letter o with tilde, U+00F5 ISOlat1 -->
>> + <entity name="ouml" cdata="&#246;"/> <!--latin small
>> letter o with diaeresis, U+00F6 ISOlat1 -->
>> + <entity name="divide" cdata="&#247;"/> <!--division
>> sign, U+00F7 ISOnum -->
>> + <entity name="oslash" cdata="&#248;"/> <!--latin small
>> letter o with stroke, = latin small letter o slash, U+00F8 ISOlat1
>> -->
>> + <entity name="ugrave" cdata="&#249;"/> <!--latin small
>> letter u with grave, U+00F9 ISOlat1 -->
>> + <entity name="uacute" cdata="&#250;"/> <!--latin small
>> letter u with acute, U+00FA ISOlat1 -->
>> + <entity name="ucirc" cdata="&#251;"/> <!--latin small
>> letter u with circumflex, U+00FB ISOlat1 -->
>> + <entity name="uuml" cdata="&#252;"/> <!--latin small
>> letter u with diaeresis, U+00FC ISOlat1 -->
>> + <entity name="yacute" cdata="&#253;"/> <!--latin small
>> letter y with acute, U+00FD ISOlat1 -->
>> + <entity name="thorn" cdata="&#254;"/> <!--latin small
>> letter thorn, U+00FE ISOlat1 -->
>> + <entity name="yuml" cdata="&#255;"/> <!--latin small
>> letter y with diaeresis, U+00FF ISOlat1 -->
>> +
>> + <entity name="fnof" cdata="&#402;"/> <!--latin small f
>> with hook = function = florin, U+0192 ISOtech -->
>> +
>> + <!-- Greek -->
>> + <entity name="Alpha" cdata="&#913;"/> <!--greek
>> capital letter alpha, U+0391 -->
>> + <entity name="Beta" cdata="&#914;"/> <!--greek capital
>> letter beta, U+0392 -->
>> + <entity name="Gamma" cdata="&#915;"/> <!--greek
>> capital letter gamma, U+0393 ISOgrk3 -->
>> + <entity name="Delta" cdata="&#916;"/> <!--greek
>> capital letter delta, U+0394 ISOgrk3 -->
>> + <entity name="Epsilon" cdata="&#917;"/> <!--greek
>> capital letter epsilon, U+0395 -->
>> + <entity name="Zeta" cdata="&#918;"/> <!--greek capital
>> letter zeta, U+0396 -->
>> + <entity name="Eta" cdata="&#919;"/> <!--greek capital
>> letter eta, U+0397 -->
>> + <entity name="Theta" cdata="&#920;"/> <!--greek
>> capital letter theta, U+0398 ISOgrk3 -->
>> + <entity name="Iota" cdata="&#921;"/> <!--greek capital
>> letter iota, U+0399 -->
>> + <entity name="Kappa" cdata="&#922;"/> <!--greek
>> capital letter kappa, U+039A -->
>> + <entity name="Lambda" cdata="&#923;"/> <!--greek
>> capital letter lambda, U+039B ISOgrk3 -->
>> + <entity name="Mu" cdata="&#924;"/> <!--greek capital
>> letter mu, U+039C -->
>> + <entity name="Nu" cdata="&#925;"/> <!--greek capital
>> letter nu, U+039D -->
>> + <entity name="Xi" cdata="&#926;"/> <!--greek capital
>> letter xi, U+039E ISOgrk3 -->
>> + <entity name="Omicron" cdata="&#927;"/> <!--greek
>> capital letter omicron, U+039F -->
>> + <entity name="Pi" cdata="&#928;"/> <!--greek capital
>> letter pi, U+03A0 ISOgrk3 -->
>> + <entity name="Rho" cdata="&#929;"/> <!--greek capital
>> letter rho, U+03A1 -->
>> + <!-- there is no Sigmaf, and no U+03A2 character either -->
>> + <entity name="Sigma" cdata="&#931;"/> <!--greek
>> capital letter sigma, U+03A3 ISOgrk3 -->
>> + <entity name="Tau" cdata="&#932;"/> <!--greek capital
>> letter tau, U+03A4 -->
>> + <entity name="Upsilon" cdata="&#933;"/> <!--greek
>> capital letter upsilon,U+03A5 ISOgrk3 -->
>> + <entity name="Phi" cdata="&#934;"/> <!--greek capital
>> letter phi,U+03A6 ISOgrk3 -->
>> + <entity name="Chi" cdata="&#935;"/> <!--greek capital
>> letter chi, U+03A7 -->
>> + <entity name="Psi" cdata="&#936;"/> <!--greek capital
>> letter psi,U+03A8 ISOgrk3 -->
>> + <entity name="Omega" cdata="&#937;"/> <!--greek
>> capital letter omega,U+03A9 ISOgrk3 -->
>> +
>> + <entity name="alpha" cdata="&#945;"/> <!--greek small
>> letter alpha,U+03B1 ISOgrk3 -->
>> + <entity name="beta" cdata="&#946;"/> <!--greek small
>> letter beta, U+03B2 ISOgrk3 -->
>> + <entity name="gamma" cdata="&#947;"/> <!--greek small
>> letter gamma,U+03B3 ISOgrk3 -->
>> + <entity name="delta" cdata="&#948;"/> <!--greek small
>> letter delta,U+03B4 ISOgrk3 -->
>> + <entity name="epsilon" cdata="&#949;"/> <!--greek
>> small letter epsilon,U+03B5 ISOgrk3 -->
>> + <entity name="zeta" cdata="&#950;"/> <!--greek small
>> letter zeta, U+03B6 ISOgrk3 -->
>> + <entity name="eta" cdata="&#951;"/> <!--greek small
>> letter eta, U+03B7 ISOgrk3 -->
>> + <entity name="theta" cdata="&#952;"/> <!--greek small
>> letter theta, U+03B8 ISOgrk3 -->
>> + <entity name="iota" cdata="&#953;"/> <!--greek small
>> letter iota, U+03B9 ISOgrk3 -->
>> + <entity name="kappa" cdata="&#954;"/> <!--greek small
>> letter kappa,U+03BA ISOgrk3 -->
>> + <entity name="lambda" cdata="&#955;"/> <!--greek small
>> letter lambda, U+03BB ISOgrk3 -->
>> + <entity name="mu" cdata="&#956;"/> <!--greek small
>> letter mu, U+03BC ISOgrk3 -->
>> + <entity name="nu" cdata="&#957;"/> <!--greek small
>> letter nu, U+03BD ISOgrk3 -->
>> + <entity name="xi" cdata="&#958;"/> <!--greek small
>> letter xi, U+03BE ISOgrk3 -->
>> + <entity name="omicron" cdata="&#959;"/> <!--greek
>> small letter omicron, U+03BF NEW -->
>> + <entity name="pi" cdata="&#960;"/> <!--greek small
>> letter pi, U+03C0 ISOgrk3 -->
>> + <entity name="rho" cdata="&#961;"/> <!--greek small
>> letter rho, U+03C1 ISOgrk3 -->
>> + <entity name="sigmaf" cdata="&#962;"/> <!--greek small
>> letter final sigma, U+03C2 ISOgrk3 -->
>> + <entity name="sigma" cdata="&#963;"/> <!--greek small
>> letter sigma, U+03C3 ISOgrk3 -->
>> + <entity name="tau" cdata="&#964;"/> <!--greek small
>> letter tau, U+03C4 ISOgrk3 -->
>> + <entity name="upsilon" cdata="&#965;"/> <!--greek
>> small letter upsilon, U+03C5 ISOgrk3 -->
>> + <entity name="phi" cdata="&#966;"/> <!--greek small
>> letter phi, U+03C6 ISOgrk3 -->
>> + <entity name="chi" cdata="&#967;"/> <!--greek small
>> letter chi, U+03C7 ISOgrk3 -->
>> + <entity name="psi" cdata="&#968;"/> <!--greek small
>> letter psi, U+03C8 ISOgrk3 -->
>> + <entity name="omega" cdata="&#969;"/> <!--greek small
>> letter omega, U+03C9 ISOgrk3 -->
>> + <entity name="thetasym" cdata="&#977;"/> <!--greek
>> small letter theta symbol, U+03D1 NEW -->
>> + <entity name="upsih" cdata="&#978;"/> <!--greek
>> upsilon with hook symbol, U+03D2 NEW -->
>> + <entity name="piv" cdata="&#982;"/> <!--greek pi
>> symbol, U+03D6 ISOgrk3 -->
>> +
>> + <!-- General Punctuation -->
>> + <entity name="bull" cdata="&#8226;"/> <!--bullet =
>> black small circle, U+2022 ISOpub -->
>> + <!-- bullet is NOT the same as bullet operator, U+2219 -->
>> + <entity name="hellip" cdata="&#8230;"/> <!--horizontal
>> ellipsis = three dot leader, U+2026 ISOpub -->
>> + <entity name="prime" cdata="&#8242;"/> <!--prime =
>> minutes = feet, U+2032 ISOtech -->
>> + <entity name="Prime" cdata="&#8243;"/> <!--double
>> prime = seconds = inches, U+2033 ISOtech -->
>> + <entity name="oline" cdata="&#8254;"/> <!--overline =
>> spacing overscore, U+203E NEW -->
>> + <entity name="frasl" cdata="&#8260;"/> <!--fraction
>> slash, U+2044 NEW -->
>> +
>> + <!-- Letterlike Symbols -->
>> + <entity name="weierp" cdata="&#8472;"/> <!--script
>> capital P = power set = Weierstrass p, U+2118 ISOamso -->
>> + <entity name="image" cdata="&#8465;"/> <!--blackletter
>> capital I = imaginary part, U+2111 ISOamso -->
>> + <entity name="real" cdata="&#8476;"/> <!--blackletter
>> capital R = real part symbol, U+211C ISOamso -->
>> + <entity name="trade" cdata="&#8482;"/> <!--trade mark
>> sign, U+2122 ISOnum -->
>> + <entity name="alefsym" cdata="&#8501;"/> <!--alef
>> symbol = first transfinite cardinal, U+2135 NEW -->
>> + <!-- alef symbol is NOT the same as hebrew letter alef,
>> + U+05D0 although the same glyph could be used to
>> depict both characters -->
>> +
>> + <!-- Arrows -->
>> + <entity name="larr" cdata="&#8592;"/> <!--leftwards
>> arrow, U+2190 ISOnum -->
>> + <entity name="uarr" cdata="&#8593;"/> <!--upwards
>> arrow, U+2191 ISOnum-->
>> + <entity name="rarr" cdata="&#8594;"/> <!--rightwards
>> arrow, U+2192 ISOnum -->
>> + <entity name="darr" cdata="&#8595;"/> <!--downwards
>> arrow, U+2193 ISOnum -->
>> + <entity name="harr" cdata="&#8596;"/> <!--left right
>> arrow, U+2194 ISOamsa -->
>> + <entity name="crarr" cdata="&#8629;"/> <!--downwards
>> arrow with corner leftwards
>> + = carriage return, U
>> +21B5 NEW -->
>> + <entity name="lArr" cdata="&#8656;"/> <!--leftwards
>> double arrow, U+21D0 ISOtech -->
>> +
>> + <!-- ISO 10646 does not say that lArr is the same as the
>> 'is implied by' arrow
>> + but also does not have any other character for that
>> function. So ? lArr can
>> + be used for 'is implied by' as ISOtech suggests -->
>> +
>> + <entity name="uArr" cdata="&#8657;"/> <!--upwards
>> double arrow, U+21D1 ISOamsa -->
>> + <entity name="rArr" cdata="&#8658;"/> <!--rightwards
>> double arrow, U+21D2 ISOtech -->
>> +
>> + <!-- ISO 10646 does not say this is the 'implies'
>> character but does not have
>> + another character with this function so ?
>> + rArr can be used for 'implies' as ISOtech suggests -->
>> +
>> + <entity name="dArr" cdata="&#8659;"/> <!--downwards
>> double arrow, U+21D3 ISOamsa -->
>> + <entity name="hArr" cdata="&#8660;"/> <!--left right
>> double arrow, U+21D4 ISOamsa -->
>> +
>> + <!-- Mathematical Operators -->
>> + <entity name="forall" cdata="&#8704;"/> <!--for all, U
>> +2200 ISOtech -->
>> + <entity name="part" cdata="&#8706;"/> <!--partial
>> differential, U+2202 ISOtech -->
>> + <entity name="exist" cdata="&#8707;"/> <!--there
>> exists, U+2203 ISOtech -->
>> + <entity name="empty" cdata="&#8709;"/> <!--empty set =
>> null set = diameter,U+2205 ISOamso -->
>> + <entity name="nabla" cdata="&#8711;"/> <!--nabla =
>> backward difference, U+2207 ISOtech -->
>> + <entity name="isin" cdata="&#8712;"/> <!--element of, U
>> +2208 ISOtech -->
>> + <entity name="notin" cdata="&#8713;"/> <!--not an
>> element of, U+2209 ISOtech -->
>> + <entity name="ni" cdata="&#8715;"/> <!--contains as
>> member, U+220B ISOtech -->
>> +
>> + <!-- should there be a more memorable name than 'ni'? -->
>> + <entity name="prod" cdata="&#8719;"/> <!--n-ary
>> product = product sign, U+220F ISOamsb -->
>> +
>> + <!-- prod is NOT the same character as U+03A0 'greek
>> capital letter pi' though
>> + the same glyph might be used for both -->
>> +
>> + <entity name="sum" cdata="&#8721;"/> <!--n-ary
>> sumation, U+2211 ISOamsb -->
>> +
>> + <!-- sum is NOT the same character as U+03A3 'greek
>> capital letter sigma'
>> + though the same glyph might be used for both -->
>> +
>> + <entity name="minus" cdata="&#8722;"/> <!--minus sign,
>> U+2212 ISOtech -->
>> + <entity name="lowast" cdata="&#8727;"/> <!--asterisk
>> operator, U+2217 ISOtech -->
>> + <entity name="radic" cdata="&#8730;"/> <!--square root
>> = radical sign, U+221A ISOtech -->
>> + <entity name="prop" cdata="&#8733;"/> <!--proportional
>> to, U+221D ISOtech -->
>> + <entity name="infin" cdata="&#8734;"/> <!--infinity, U
>> +221E ISOtech -->
>> + <entity name="ang" cdata="&#8736;"/> <!--angle, U+2220
>> ISOamso -->
>> + <entity name="and" cdata="&#8743;"/> <!--logical and =
>> wedge, U+2227 ISOtech -->
>> + <entity name="or" cdata="&#8744;"/> <!--logical or =
>> vee, U+2228 ISOtech -->
>> + <entity name="cap" cdata="&#8745;"/> <!--intersection
>> = cap, U+2229 ISOtech -->
>> + <entity name="cup" cdata="&#8746;"/> <!--union = cup, U
>> +222A ISOtech -->
>> + <entity name="int" cdata="&#8747;"/> <!--integral, U
>> +222B ISOtech -->
>> + <entity name="there4" cdata="&#8756;"/> <!--therefore,
>> U+2234 ISOtech -->
>> + <entity name="sim" cdata="&#8764;"/> <!--tilde
>> operator = varies with = similar to, U+223C ISOtech -->
>> +
>> + <!-- tilde operator is NOT the same character as the
>> tilde, U+007E,
>> + although the same glyph might be used to represent
>> both -->
>> +
>> + <entity name="cong" cdata="&#8773;"/> <!--
>> approximately equal to, U+2245 ISOtech -->
>> + <entity name="asymp" cdata="&#8776;"/> <!--almost
>> equal to = asymptotic to, U+2248 ISOamsr -->
>> + <entity name="ne" cdata="&#8800;"/> <!--not equal to, U
>> +2260 ISOtech -->
>> + <entity name="equiv" cdata="&#8801;"/> <!--identical
>> to, U+2261 ISOtech -->
>> + <entity name="le" cdata="&#8804;"/> <!--less-than or
>> equal to, U+2264 ISOtech -->
>> + <entity name="ge" cdata="&#8805;"/> <!--greater-than
>> or equal to, U+2265 ISOtech -->
>> + <entity name="sub" cdata="&#8834;"/> <!--subset of, U
>> +2282 ISOtech -->
>> + <entity name="sup" cdata="&#8835;"/> <!--superset of, U
>> +2283 ISOtech -->
>> +
>> + <!-- note that nsup, 'not a superset of, U+2283' is not
>> covered by the Symbol
>> + font encoding and is not included. Should it be, for
>> symmetry?
>> + It is in ISOamsn -->
>> +
>> + <entity name="nsub" cdata="&#8836;"/> <!--not a subset
>> of, U+2284 ISOamsn -->
>> + <entity name="sube" cdata="&#8838;"/> <!--subset of or
>> equal to, U+2286 ISOtech -->
>> + <entity name="supe" cdata="&#8839;"/> <!--superset of
>> or equal to, U+2287 ISOtech -->
>> + <entity name="oplus" cdata="&#8853;"/> <!--circled
>> plus = direct sum, U+2295 ISOamsb -->
>> + <entity name="otimes" cdata="&#8855;"/> <!--circled
>> times = vector product, U+2297 ISOamsb -->
>> + <entity name="perp" cdata="&#8869;"/> <!--up tack =
>> orthogonal to = perpendicular, U+22A5 ISOtech -->
>> + <entity name="sdot" cdata="&#8901;"/> <!--dot
>> operator, U+22C5 ISOamsb -->
>> + <!-- dot operator is NOT the same character as U+00B7
>> middle dot -->
>> +
>> + <!-- Miscellaneous Technical -->
>> + <entity name="lceil" cdata="&#8968;"/> <!--left
>> ceiling = apl upstile, U+2308 ISOamsc -->
>> + <entity name="rceil" cdata="&#8969;"/> <!--right
>> ceiling, U+2309 ISOamsc -->
>> + <entity name="lfloor" cdata="&#8970;"/> <!--left floor
>> = apl downstile, U+230A ISOamsc -->
>> + <entity name="rfloor" cdata="&#8971;"/> <!--right
>> floor, U+230B ISOamsc -->
>> + <entity name="lang" cdata="&#9001;"/> <!--left-
>> pointing angle bracket = bra, U+2329 ISOtech -->
>> + <!-- lang is NOT the same character as U+003C 'less than'
>> + or U+2039 'single left-pointing angle quotation mark'
>> -->
>> + <entity name="rang" cdata="&#9002;"/> <!--right-
>> pointing angle bracket = ket, U+232A ISOtech -->
>> + <!-- rang is NOT the same character as U+003E 'greater
>> than' or U+203A 'single right-pointing angle quotation mark' -->
>> +
>> + <!-- Geometric Shapes -->
>> + <entity name="loz" cdata="&#9674;"/> <!--lozenge, U
>> +25CA ISOpub -->
>> +
>> + <!-- Miscellaneous Symbols -->
>> + <entity name="spades" cdata="&#9824;"/> <!--black
>> spade suit, U+2660 ISOpub -->
>> + <!-- black here seems to mean filled as opposed to hollow
>> -->
>> + <entity name="clubs" cdata="&#9827;"/> <!--black club
>> suit = shamrock, U+2663 ISOpub -->
>> + <entity name="hearts" cdata="&#9829;"/> <!--black
>> heart suit = valentine, U+2665 ISOpub -->
>> + <entity name="diams" cdata="&#9830;"/> <!--black
>> diamond suit, U+2666 ISOpub -->
>> +
>> + <entity name="quot" cdata="&#34;" /> <!--quotation
>> mark = APL quote, U+0022 ISOnum -->
>> + <!-- Latin Extended-A -->
>> + <entity name="OElig" cdata="&#338;" /> <!--latin
>> capital ligature OE, U+0152 ISOlat2 -->
>> + <entity name="oelig" cdata="&#339;" /> <!--latin small
>> ligature oe, U+0153 ISOlat2 -->
>> + <!-- ligature is a misnomer, this is a separate character
>> in some languages -->
>> + <entity name="Scaron" cdata="&#352;" /> <!--latin
>> capital letter S with caron, U+0160 ISOlat2 -->
>> + <entity name="scaron" cdata="&#353;" /> <!--latin
>> small letter s with caron, U+0161 ISOlat2 -->
>> + <entity name="Yuml" cdata="&#376;" /> <!--latin
>> capital letter Y with diaeresis, U+0178 ISOlat2 -->
>> +
>> + <!-- Spacing Modifier Letters -->
>> + <entity name="circ" cdata="&#710;" /> <!--modifier
>> letter circumflex accent, U+02C6 ISOpub -->
>> + <entity name="tilde" cdata="&#732;" /> <!--small
>> tilde, U+02DC ISOdia -->
>> +
>> + <!-- General Punctuation -->
>> + <entity name="ensp" cdata="&#8194;"/> <!--en space, U
>> +2002 ISOpub -->
>> + <entity name="emsp" cdata="&#8195;"/> <!--em space, U
>> +2003 ISOpub -->
>> + <entity name="thinsp" cdata="&#8201;"/> <!--thin
>> space, U+2009 ISOpub -->
>> + <entity name="zwnj" cdata="&#8204;"/> <!--zero width
>> non-joiner, U+200C NEW RFC 2070 -->
>> + <entity name="zwj" cdata="&#8205;"/> <!--zero width
>> joiner, U+200D NEW RFC 2070 -->
>> + <entity name="lrm" cdata="&#8206;"/> <!--left-to-right
>> mark, U+200E NEW RFC 2070 -->
>> + <entity name="rlm" cdata="&#8207;"/> <!--right-to-left
>> mark, U+200F NEW RFC 2070 -->
>> + <entity name="ndash" cdata="&#8211;"/> <!--en dash, U
>> +2013 ISOpub -->
>> + <entity name="mdash" cdata="&#8212;"/> <!--em dash, U
>> +2014 ISOpub -->
>> + <entity name="lsquo" cdata="&#8216;"/> <!--left single
>> quotation mark, U+2018 ISOnum -->
>> + <entity name="rsquo" cdata="&#8217;"/> <!--right
>> single quotation mark, U+2019 ISOnum -->
>> + <entity name="sbquo" cdata="&#8218;"/> <!--single
>> low-9 quotation mark, U+201A NEW -->
>> + <entity name="ldquo" cdata="&#8220;"/> <!--left double
>> quotation mark, U+201C ISOnum -->
>> + <entity name="rdquo" cdata="&#8221;"/> <!--right
>> double quotation mark, U+201D ISOnum -->
>> + <entity name="bdquo" cdata="&#8222;"/> <!--double
>> low-9 quotation mark, U+201E NEW -->
>> + <entity name="dagger" cdata="&#8224;"/> <!--dagger, U
>> +2020 ISOpub -->
>> + <entity name="Dagger" cdata="&#8225;"/> <!--double
>> dagger, U+2021 ISOpub -->
>> + <entity name="permil" cdata="&#8240;"/> <!--per mille
>> sign, U+2030 ISOtech -->
>> + <entity name="lsaquo" cdata="&#8249;"/> <!--single
>> left-pointing angle quotation mark, U+2039 ISO proposed -->
>> + <!-- lsaquo is proposed but not yet ISO standardized -->
>> + <entity name="rsaquo" cdata="&#8250;"/> <!--single
>> right-pointing angle quotation mark, U+203A ISO proposed -->
>> + <!-- rsaquo is proposed but not yet ISO standardized -->
>> + <entity name="euro" cdata="&#8364;" /> <!--euro sign, U
>> +20AC NEW -->
>> + </html-entities>
>> +</anti-samy-rules>
>>
>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>> ------------------------------------------------------------------------------
>> svn:eol-style = native
>>
>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>> ------------------------------------------------------------------------------
>> svn:executable = *
>>
>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>> ------------------------------------------------------------------------------
>> svn:keywords = "Date Rev Author URL Id"
>>
>> Propchange: ofbiz/trunk/framework/base/config/antisamy-esapi.xml
>> ------------------------------------------------------------------------------
>> svn:mime-type = text/xml
>>
>> Added: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar?rev=742352&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> Binary file - no diff available.
>>
>> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>> ------------------------------------------------------------------------------
>> svn:executable = *
>>
>> Propchange: ofbiz/trunk/framework/base/lib/antisamy-bin.1.2.jar
>> ------------------------------------------------------------------------------
>> svn:mime-type = application/octet-stream
>>
>> Added: ofbiz/trunk/framework/base/lib/nekohtml.jar
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/lib/nekohtml.jar?rev=742352&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> Binary file - no diff available.
>>
>> Propchange: ofbiz/trunk/framework/base/lib/nekohtml.jar
>> ------------------------------------------------------------------------------
>> svn:mime-type = application/octet-stream
>>
>> Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/util/
>> StringUtil.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/util/StringUtil.java?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/base/src/org/ofbiz/base/util/
>> StringUtil.java (original)
>> +++ ofbiz/trunk/framework/base/src/org/ofbiz/base/util/
>> StringUtil.java Mon Feb 9 09:34:34 2009
>> @@ -18,10 +18,6 @@
>> *******************************************************************************/
>> package org.ofbiz.base.util;
>>
>> -import javolution.util.FastList;
>> -import javolution.util.FastMap;
>> -import javolution.util.FastSet;
>> -
>> import java.io.UnsupportedEncodingException;
>> import java.net.URLDecoder;
>> import java.net.URLEncoder;
>> @@ -34,15 +30,23 @@
>> import java.util.regex.Matcher;
>> import java.util.regex.Pattern;
>>
>> +import javolution.util.FastList;
>> +import javolution.util.FastMap;
>> +import javolution.util.FastSet;
>> +
>> import org.apache.commons.codec.DecoderException;
>> import org.apache.commons.codec.binary.Hex;
>> import org.owasp.esapi.Encoder;
>> +import org.owasp.esapi.ValidationErrorList;
>> +import org.owasp.esapi.Validator;
>> import org.owasp.esapi.codecs.CSSCodec;
>> import org.owasp.esapi.codecs.Codec;
>> import org.owasp.esapi.codecs.HTMLEntityCodec;
>> import org.owasp.esapi.codecs.JavaScriptCodec;
>> import org.owasp.esapi.codecs.PercentCodec;
>> +import org.owasp.esapi.errors.EncodingException;
>> import org.owasp.esapi.reference.DefaultEncoder;
>> +import org.owasp.esapi.reference.DefaultValidator;
>>
>> /**
>> * Misc String Utility Functions
>> @@ -55,12 +59,12 @@
>> /** OWASP ESAPI canonicalize strict flag; setting false so we
>> only get warnings about double encoding, etc; can be set to true
>> for exceptions and more security */
>> public static final boolean esapiCanonicalizeStrict = false;
>> public static final Encoder defaultWebEncoder;
>> - //public static final Validator defaultWebValidator;
>> + public static final Validator defaultWebValidator;
>> static {
>> // possible codecs: CSSCodec, HTMLEntityCodec,
>> JavaScriptCodec, MySQLCodec, OracleCodec, PercentCodec, UnixCodec,
>> VBScriptCodec, WindowsCodec
>> List<Codec> codecList = Arrays.asList(new CSSCodec(), new
>> HTMLEntityCodec(), new JavaScriptCodec(), new PercentCodec());
>> defaultWebEncoder = new DefaultEncoder(codecList);
>> - //defaultWebValidator = new DefaultValidator();
>> + defaultWebValidator = new DefaultValidator();
>> }
>>
>> public static final SimpleEncoder htmlEncoder = new HtmlEncoder();
>> @@ -82,6 +86,8 @@
>> }
>> }
>>
>> + // ================== Begin General Functions ==================
>> +
>> public static String internString(String value) {
>> return value != null ? value.intern() : null;
>> }
>> @@ -459,6 +465,72 @@
>> }
>>
>> /**
>> + * Uses a black-list approach for necessary characters for HTML.
>> + * Does not allow various characters (after canonicalization),
>> including "<", ">", "&" (if not followed by a space), and "%" (if
>> not followed by a space).
>> + *
>> + * @param value
>> + * @param errorMessageList
>> + */
>> + public static String checkStringForHtmlStrictNone(String
>> valueName, String value, List<String> errorMessageList) {
>> + if (UtilValidate.isEmpty(value)) return value;
>> +
>> + // canonicalize, strict (error on double-encoding)
>> + try {
>> + value = defaultWebEncoder.canonicalize(value, true);
>> + } catch (EncodingException e) {
>> + // NOTE: using different log and user targeted error
>> messages to allow the end-user message to be less technical
>> + Debug.logError("Canonicalization (format consistency,
>> character escaping that is mixed or double, etc) error for
>> attribute named [" + valueName + "], String [" + value + "]: " +
>> e.toString(), module);
>> + errorMessageList.add("In field [" + valueName + "]
>> found character espacing (mixed or double) that is not allowed or
>> other format consistency error: " + e.toString());
>> + }
>> +
>> + // check for "<", ">"
>> + if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {
>> + errorMessageList.add("In field [" + valueName + "]
>> greater-than (>) and less-than (<) symbols are not allowed.");
>> + }
>> +
>> + // check for & not followed by a space (can be used for
>> escaping chars)
>> + int curAmpIndex = value.indexOf("&");
>> + while (curAmpIndex >= 0) {
>> + if (' ' != value.charAt(curAmpIndex + 1)) {
>> + errorMessageList.add("In field [" + valueName + "]
>> the ampersand (&) symbol is only allowed if followed by a space.");
>> + // once we find one like this we have the message
>> so no need to check for more
>> + break;
>> + }
>> + curAmpIndex = value.indexOf("&", curAmpIndex + 1);
>> + }
>> +
>> + // check for % not followed by a space (can be used for
>> escaping chars)
>> + int curPercIndex = value.indexOf("%");
>> + while (curPercIndex >= 0) {
>> + if (' ' != value.charAt(curPercIndex + 1)) {
>> + errorMessageList.add("In field [" + valueName + "]
>> the percent (%) symbol is only allowed if followed by a space.");
>> + // once we find one like this we have the message
>> so no need to check for more
>> + break;
>> + }
>> + curPercIndex = value.indexOf("%", curPercIndex + 1);
>> + }
>> +
>> + // TODO: anything else to check for that can be used to
>> get HTML or JavaScript going without these characters?
>> +
>> + return value;
>> + }
>> +
>> + /**
>> + * Uses a white-list approach to check for safe HTML.
>> + * Based on the ESAPI validator configured in the antisamy-
>> esapi.xml file.
>> + *
>> + * @param value
>> + * @param errorMessageList
>> + * @return String with updated value if needed for safer HTML.
>> + */
>> + public static String checkStringForHtmlSafeOnly(String
>> valueName, String value, List<String> errorMessageList) {
>> + ValidationErrorList vel = new ValidationErrorList();
>> + value = defaultWebValidator.getValidSafeHTML(valueName,
>> value, Integer.MAX_VALUE, true, vel);
>> + errorMessageList.addAll(vel.errors());
>> + return value;
>> + }
>> +
>> + /**
>> * Translates various HTML characters in a string so that the
>> string can be displayed in a browser safely
>> * <p>
>> * This function is useful in preventing user-supplied text from
>> containing HTML markup, such as in a message board or
>> @@ -473,6 +545,8 @@
>> * <li>'>' (greater than) becomes '>'
>> * <li>\n (Carriage Return) becomes '<br>gt;'
>> * </ol>
>> + *
>> + * @deprecated Use StringUtil.htmlEncoder instead.
>> */
>> public static String htmlSpecialChars(String html, boolean
>> doubleQuotes, boolean singleQuotes, boolean insertBR) {
>> html = StringUtil.replaceString(html, "&", "&");
>>
>> Modified: ofbiz/trunk/framework/service/dtd/services.xsd
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/dtd/services.xsd?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/service/dtd/services.xsd (original)
>> +++ ofbiz/trunk/framework/service/dtd/services.xsd Mon Feb 9
>> 09:34:34 2009
>> @@ -268,6 +268,16 @@
>> </xs:restriction>
>> </xs:simpleType>
>> </xs:attribute>
>> + <xs:attribute name="allow-html" use="optional"
>> default="none">
>> + <xs:annotation><xs:documentation>See the documentation
>> on the allow-html attribute of the "attribute" element.</
>> xs:documentation></xs:annotation>
>> + <xs:simpleType>
>> + <xs:restriction base="xs:token">
>> + <xs:enumeration value="any"/>
>> + <xs:enumeration value="safe"/>
>> + <xs:enumeration value="none"/>
>> + </xs:restriction>
>> + </xs:simpleType>
>> + </xs:attribute>
>> </xs:attributeGroup>
>> <xs:element name="exclude">
>> <xs:complexType>
>> @@ -321,6 +331,22 @@
>> </xs:restriction>
>> </xs:simpleType>
>> </xs:attribute>
>> + <xs:attribute name="allow-html" use="optional"
>> default="none">
>> + <xs:annotation><xs:documentation>
>> + Applies only to String fields.
>> + Only checked for incoming parameters/attributes
>> (could change in the future, but this is meant for validating input
>> from users, other systems, etc).
>> + Defualts to "none" meaning no HTML is allowed
>> (will result in an error message).
>> + If some HTML is desired then use "safe" which will
>> follow the rules in the antisamy-esapi.xml file. This should be
>> safe for both internal and public users.
>> + In rare cases when users are trusted or it is not
>> a sensitive field the "any" option may be used to not check the
>> HTML content at all.
>> + </xs:documentation></xs:annotation>
>> + <xs:simpleType>
>> + <xs:restriction base="xs:token">
>> + <xs:enumeration value="any"/>
>> + <xs:enumeration value="safe"/>
>> + <xs:enumeration value="none"/>
>> + </xs:restriction>
>> + </xs:simpleType>
>> + </xs:attribute>
>> </xs:attributeGroup>
>> <xs:element name="override">
>> <xs:complexType>
>> @@ -362,6 +388,16 @@
>> </xs:restriction>
>> </xs:simpleType>
>> </xs:attribute>
>> + <xs:attribute name="allow-html" use="optional">
>> + <xs:annotation><xs:documentation>See the documentation
>> on the allow-html attribute of the "attribute" element. Note that
>> it is slightly different here as there is no defualt.</
>> xs:documentation></xs:annotation>
>> + <xs:simpleType>
>> + <xs:restriction base="xs:token">
>> + <xs:enumeration value="any"/>
>> + <xs:enumeration value="safe"/>
>> + <xs:enumeration value="none"/>
>> + </xs:restriction>
>> + </xs:simpleType>
>> + </xs:attribute>
>> </xs:attributeGroup>
>> <xs:element name="type-validate">
>> <xs:complexType>
>>
>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> GenericDispatcher.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/GenericDispatcher.java?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> GenericDispatcher.java (original)
>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> GenericDispatcher.java Mon Feb 9 09:34:34 2009
>> @@ -22,9 +22,8 @@
>>
>> import javolution.util.FastMap;
>>
>> -import org.ofbiz.entity.GenericDelegator;
>> -import org.ofbiz.entity.GenericEntityException;
>> import org.ofbiz.base.util.Debug;
>> +import org.ofbiz.entity.GenericDelegator;
>>
>> /**
>> * Generic Services Local Dispatcher
>> @@ -130,15 +129,15 @@
>> }
>>
>> public void disableEcas(){
>> - this.ecasDisabled = true;
>> + ecasDisabled = true;
>> }
>>
>> public void enableEcas() {
>> - this.ecasDisabled = false;
>> + ecasDisabled = false;
>> }
>>
>> public boolean isEcasDisabled() {
>> - return this.ecasDisabled;
>> + return ecasDisabled;
>> }
>>
>> /**
>>
>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelParam.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelParam.java?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelParam.java (original)
>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelParam.java Mon Feb 9 09:34:34 2009
>> @@ -35,6 +35,7 @@
>> /**
>> * Generic Service Model Parameter
>> */
>> +@SuppressWarnings("serial")
>> public class ModelParam implements Serializable {
>>
>> public static final String module = ModelParam.class.getName();
>> @@ -77,6 +78,9 @@
>> public boolean formDisplay = true;
>> public boolean overrideFormDisplay = false;
>>
>> + /** Default value */
>> + public String allowHtml = null;
>> +
>> /** Is this Parameter set internally? */
>> public boolean internal = false;
>>
>> @@ -97,6 +101,7 @@
>> this.overrideOptional = param.overrideOptional;
>> this.formDisplay = param.formDisplay;
>> this.overrideFormDisplay = param.overrideFormDisplay;
>> + this.allowHtml = param.allowHtml;
>> this.internal = param.internal;
>> }
>>
>> @@ -190,6 +195,7 @@
>> buf.append(overrideOptional).append("::");
>> buf.append(formDisplay).append("::");
>> buf.append(overrideFormDisplay).append("::");
>> + buf.append(allowHtml).append("::");
>> buf.append(defaultValue).append("::");
>> buf.append(internal);
>> if (validators != null)
>>
>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelService.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelService.java?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelService.java (original)
>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelService.java Mon Feb 9 09:34:34 2009
>> @@ -58,7 +58,7 @@
>> import org.ofbiz.base.util.Debug;
>> import org.ofbiz.base.util.GeneralException;
>> import org.ofbiz.base.util.ObjectType;
>> -import org.ofbiz.base.util.UtilDateTime;
>> +import org.ofbiz.base.util.StringUtil;
>> import org.ofbiz.base.util.UtilMisc;
>> import org.ofbiz.base.util.UtilProperties;
>> import org.ofbiz.base.util.UtilValidate;
>> @@ -75,6 +75,7 @@
>> /**
>> * Generic Service Model Class
>> */
>> +@SuppressWarnings("serial")
>> public class ModelService extends AbstractMap<String, Object>
>> implements Serializable {
>> private static final Field[] MODEL_SERVICE_FIELDS;
>> private static final Map<String, Field> MODEL_SERVICE_FIELD_MAP
>> = FastMap.newInstance();
>> @@ -459,16 +460,16 @@
>> * @param test The Map object to test
>> * @param mode Test either mode IN or mode OUT
>> */
>> - public void validate(Map<String, ? extends Object> test,
>> String mode, Locale locale) throws ServiceValidationException {
>> + public void validate(Map<String, Object> context, String mode,
>> Locale locale) throws ServiceValidationException {
>> Map<String, String> requiredInfo = FastMap.newInstance();
>> Map<String, String> optionalInfo = FastMap.newInstance();
>> boolean verboseOn = Debug.verboseOn();
>>
>> - if (verboseOn) Debug.logVerbose("[ModelService.validate] :
>> {" + this.name + "} : Validating context - " + test, module);
>> + if (verboseOn) Debug.logVerbose("[ModelService.validate] :
>> {" + this.name + "} : Validating context - " + context, module);
>>
>> // do not validate results with errors
>> - if (mode.equals(OUT_PARAM) && test != null &&
>> test.containsKey(RESPONSE_MESSAGE)) {
>> - if (RESPOND_ERROR.equals(test.get(RESPONSE_MESSAGE))
>> || RESPOND_FAIL.equals(test.get(RESPONSE_MESSAGE))) {
>> + if (mode.equals(OUT_PARAM) && context != null &&
>> context.containsKey(RESPONSE_MESSAGE)) {
>> + if
>> (RESPOND_ERROR.equals(context.get(RESPONSE_MESSAGE)) ||
>> RESPOND_FAIL.equals(context.get(RESPONSE_MESSAGE))) {
>> if (verboseOn)
>> Debug.logVerbose("[ModelService.validate] : {" + this.name + "} :
>> response was an error, not validating.", module);
>> return;
>> }
>> @@ -490,8 +491,8 @@
>> Map<String, Object> requiredTest = FastMap.newInstance();
>> Map<String, Object> optionalTest = FastMap.newInstance();
>>
>> - if (test == null) test = FastMap.newInstance();
>> - requiredTest.putAll(test);
>> + if (context == null) context = FastMap.newInstance();
>> + requiredTest.putAll(context);
>>
>> List<String> requiredButNull = FastList.newInstance();
>> List<String> keyList = FastList.newInstance();
>> @@ -545,6 +546,30 @@
>> Debug.logError("[ModelService.validate] : {" + name +
>> "} : (" + mode + ") Required test error: " + e.toString(), module);
>> throw e;
>> }
>> +
>> + // required and type validation complete, do allow-html
>> validation
>> + if ("IN".equals(mode)) {
>> + List<String> errorMessageList = FastList.newInstance();
>> + for (ModelParam modelParam: this.contextInfo.values()) {
>> + if (context.get(modelParam.name) != null &&
>> + ("String".equals(modelParam.type) ||
>> "java.lang.String".equals(modelParam.type)) &&
>> + !"any".equals(modelParam.allowHtml) &&
>> + ("INOUT".equals(modelParam.mode) ||
>> "IN".equals(modelParam.mode))) {
>> + // the param is a String, allow-html is none
>> or safe, and we are looking at an IN parameter during input
>> parameter validation
>> + String value = (String)
>> context.get(modelParam.name);
>> + if ("none".equals(modelParam.allowHtml)) {
>> + value =
>> StringUtil.checkStringForHtmlStrictNone(modelParam.name, value,
>> errorMessageList);
>> + context.put(modelParam.name, value);
>> + } else if
>> ("safe".equals(modelParam.allowHtml)) {
>> + value =
>> StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value,
>> errorMessageList);
>> + context.put(modelParam.name, value);
>> + }
>> + }
>> + }
>> + if (errorMessageList.size() > 0) {
>> + throw new
>> ServiceValidationException(errorMessageList, this, mode);
>> + }
>> + }
>> }
>>
>> /**
>>
>> Modified: ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelServiceReader.java
>> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/service/src/org/ofbiz/service/ModelServiceReader.java?rev=742352&r1=742351&r2=742352&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelServiceReader.java (original)
>> +++ ofbiz/trunk/framework/service/src/org/ofbiz/service/
>> ModelServiceReader.java Mon Feb 9 09:34:34 2009
>> @@ -56,7 +56,7 @@
>> /**
>> * Generic Service - Service Definition Reader
>> */
>> -
>> +@SuppressWarnings("serial")
>> public class ModelServiceReader implements Serializable {
>>
>> public static final String module =
>> ModelServiceReader.class.getName();
>> @@ -510,6 +510,7 @@
>> param.mode =
>> UtilXml.checkEmpty(autoElement.getAttribute("mode")).intern();
>> param.optional =
>> "true".equalsIgnoreCase(autoElement.getAttribute("optional")); //
>> default to true
>> param.formDisplay
>> = !"false".equalsIgnoreCase(autoElement.getAttribute("form-
>> display")); // default to false
>> + param.allowHtml =
>> UtilXml.checkEmpty(autoElement.getAttribute("allow-html"),
>> "none").intern(); // default to none
>> modelParamMap.put(field.getName(), param);
>> }
>> }
>> @@ -532,7 +533,7 @@
>> Debug.logError(e, "Problem loading auto-attributes
>> [" + entityName + "] for " + service.name, module);
>> } catch (GeneralException e) {
>> Debug.logError(e, "Cannot load auto-attributes : " +
>> e.getMessage() + " for " + service.name, module);
>> - }
>> + }
>> }
>> }
>>
>> @@ -551,6 +552,7 @@
>> param.formLabel = attribute.hasAttribute("form-label")?
>> attribute.getAttribute("form-label").intern():null;
>> param.optional =
>> "true".equalsIgnoreCase(attribute.getAttribute("optional")); //
>> default to true
>> param.formDisplay
>> = !"false".equalsIgnoreCase(attribute.getAttribute("form-
>> display")); // default to false
>> + param.allowHtml =
>> UtilXml.checkEmpty(attribute.getAttribute("allow-html"),
>> "none").intern(); // default to none
>>
>> // default value
>> String defValue = attribute.getAttribute("default-value");
>> @@ -644,8 +646,8 @@
>> }
>>
>> protected void createOverrideDefs(Element baseElement,
>> ModelService service) {
>> - for (Element attribute:
>> UtilXml.childElementList(baseElement, "override")) {
>> - String name =
>> UtilXml.checkEmpty(attribute.getAttribute("name"));
>> + for (Element overrideElement:
>> UtilXml.childElementList(baseElement, "override")) {
>> + String name =
>> UtilXml.checkEmpty(overrideElement.getAttribute("name"));
>> ModelParam param = service.getParam(name);
>> boolean directToParams = true;
>> if (param == null) {
>> @@ -662,38 +664,42 @@
>>
>> if (param != null) {
>> // set only modified values
>> - if (attribute.getAttribute("type") != null &&
>> attribute.getAttribute("type").length() > 0) {
>> - param.type =
>> UtilXml.checkEmpty(attribute.getAttribute("type")).intern();
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("type"))) {
>> + param.type =
>> UtilXml.checkEmpty(overrideElement.getAttribute("type")).intern();
>> }
>> - if (attribute.getAttribute("mode") != null &&
>> attribute.getAttribute("mode").length() > 0) {
>> - param.mode =
>> UtilXml.checkEmpty(attribute.getAttribute("mode")).intern();
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("mode"))) {
>> + param.mode =
>> UtilXml.checkEmpty(overrideElement.getAttribute("mode")).intern();
>> }
>> - if (attribute.getAttribute("entity-name") != null
>> && attribute.getAttribute("entity-name").length() > 0) {
>> - param.entityName =
>> UtilXml.checkEmpty(attribute.getAttribute("entity-name")).intern();
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("entity-
>> name"))) {
>> + param.entityName =
>> UtilXml.checkEmpty(overrideElement.getAttribute("entity-
>> name")).intern();
>> }
>> - if (attribute.getAttribute("field-name") != null
>> && attribute.getAttribute("field-name").length() > 0) {
>> - param.fieldName =
>> UtilXml.checkEmpty(attribute.getAttribute("field-name")).intern();
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("field-
>> name"))) {
>> + param.fieldName =
>> UtilXml.checkEmpty(overrideElement.getAttribute("field-
>> name")).intern();
>> }
>> - if (attribute.getAttribute("form-label") != null
>> && attribute.getAttribute("form-label").length() > 0) {
>> - param.formLabel =
>> UtilXml.checkEmpty(attribute.getAttribute("form-label")).intern();
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-
>> label"))) {
>> + param.formLabel =
>> UtilXml.checkEmpty(overrideElement.getAttribute("form-
>> label")).intern();
>> }
>> - if (attribute.getAttribute("optional") != null &&
>> attribute.getAttribute("optional").length() > 0) {
>> - param.optional =
>> "true".equalsIgnoreCase(attribute.getAttribute("optional")); //
>> default to true
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("optional"))) {
>> + param.optional =
>> "true
>> ".equalsIgnoreCase(overrideElement.getAttribute("optional")); //
>> default to true
>> param.overrideOptional = true;
>> }
>> - if (attribute.getAttribute("form-display") != null
>> && attribute.getAttribute("form-display").length() > 0) {
>> - param.formDisplay
>> = !"false".equalsIgnoreCase(attribute.getAttribute("form-
>> display")); // default to false
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("form-
>> display"))) {
>> + param.formDisplay
>> = !"false".equalsIgnoreCase(overrideElement.getAttribute("form-
>> display")); // default to false
>> param.overrideFormDisplay = true;
>> }
>>
>> + if
>> (UtilValidate.isNotEmpty(overrideElement.getAttribute("allow-
>> html"))) {
>> + param.allowHtml =
>> UtilXml.checkEmpty(overrideElement.getAttribute("allow-
>> html")).intern();
>> + }
>> +
>> // default value
>> - String defValue = attribute.getAttribute("default-
>> value");
>> + String defValue =
>> overrideElement.getAttribute("default-value");
>> if (UtilValidate.isNotEmpty(defValue)) {
>> param.setDefaultValue(defValue);
>> }
>>
>> // override validators
>> - this.addValidators(attribute, param);
>> + this.addValidators(overrideElement, param);
>>
>> if (directToParams) {
>> service.addParam(param);
>>
>
>