You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2015/11/06 16:31:33 UTC
Re: Render HTML markup in Freemarker
This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where
the content is encoded).
This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this
flexibility to users, once they are aware of what they are doing.
I will code that soon...
Jacques
Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
> Hi everybody,
>
> I am trying to display text content with embedded HTML markup tags:
>
> <p>Test</p>
>
> I tried
> ${productContentWrapper.get("DESCRIPTION","html")
> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"))
>
> For some reason it does print the text including the markup tags.
>
> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration.
>
> Thanks for any hint.
> Best regards
> Ingo
>
AW: AW: AW: Render HTML markup in Freemarker
Posted by Ingo Wolfmayr <in...@wolfix.at>.
I created my own PERMISSIVE_POLICY, but I am not finished with it by now.
I think putting the configuration into the base property would be a good idea.
Thanks!
Ingo
-----Ursprüngliche Nachricht-----
Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
Gesendet: Sonntag, 8. November 2015 14:03
An: user@ofbiz.apache.org
Betreff: Re: AW: AW: Render HTML markup in Freemarker
Thanks for feedback Ingo,
Did you define your own PERMISSIVE_POLICY or simply used the one I created?
I think I will anyway provide a base property to allow users using it without coding, with a comment to explain it can be modified
Jacques
Le 08/11/2015 12:39, Ingo Wolfmayr a écrit :
> Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting.
>
> Best regards,
> Ingo
>
> -----Ursprüngliche Nachricht-----
> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> Gesendet: Samstag, 7. November 2015 15:53
> An: user@ofbiz.apache.org
> Betreff: Re: AW: Render HTML markup in Freemarker
>
> I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669.
>
> HTH
>
> Jacques
>
> Le 07/11/2015 09:20, Jacques Le Roux a écrit :
>> Ingo,
>>
>> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
>>
>> As explained in OFBIZ-6669, contrary to what I did in ContentWorker
>> class, when I before did the work on *ContentWrapper classes I did
>> not use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle.
>>
>> When the encoderType is HTML, I now suggest we use the sanitizer in
>> *ContentWrapper classes For that I will enhance the UtilCodec class
>> (if people disagree a sanitizer should be there, I will create a new
>> UtilOwasp class)
>>
>> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description).
>> This is why content.sanitize property exists in content.properties.
>> To generalise, this property will need to be moved in the base config, I guess in an owasp.properties file.
>>
>> To be totally complete we should change *lines like* in
>> productsummary.ftl line 85 to use an HTML content wrapper. I mean
>> something like
>>
>> Index:
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> ===================================================================
>> ---
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> (revision 1712951)
>> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.f
>> +++ t
>> +++ l (working copy)
>> @@ -63,6 +63,7 @@
>> <#assign prodCatMem = requestAttributes.productCategoryMember>
>> </#if>
>> <#assign smallImageUrl =
>> productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
>> + <#assign productDescription =
>> + productContentWrapper.get("DESCRIPTION", "html")>
>> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
>> <#-- end variable setup -->
>> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@
>> <img src="<@o...@ofbizContentUrl>" alt="Small Image"/><br />
>> ${uiLabelMap.ProductProductId} : ${product.productId!}<br />
>> ${uiLabelMap.ProductProductName} : ${product.productName!}<br />
>> - ${uiLabelMap.CommonDescription} : ${product.description!}
>> + ${uiLabelMap.CommonDescription} :
>> + ${productDescription!}
>> </td>
>> </tr>
>> </table>
>>
>> I hope I'm clear now, see my proposed patch at OFBIZ-6669
>>
>> Jacques
>>
>>
>> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
>>> Hi Jacques,
>>>
>>> thanks for the quick answer.
>>>
>>> Just for me to understand :) :
>>>
>>> I have the following content from DB: <p>Test</p> Shouldn't the
>>> sanatizer remove/sanatize tags that are not in the allow policy? So
>>> from my understanding with the example "<p>Test</p>" it should
>>> result in "" if the p-tag is not allowed. My result is that the
>>> whole tag is rendered as text with the markup-tag <p>
>>>
>>> Best regards,
>>> Ingo
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
>>> Gesendet: Freitag, 6. November 2015 16:32
>>> An: user@ofbiz.apache.org
>>> Betreff: Re: Render HTML markup in Freemarker
>>>
>>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>>>
>>> I see only one solution: use also the content.sanitize properties
>>> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded).
>>> This also means that you are then assuming your code is sensible to
>>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing.
>>>
>>> I will code that soon...
>>>
>>> Jacques
>>>
>>>
>>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>>>> Hi everybody,
>>>>
>>>> I am trying to display text content with embedded HTML markup tags:
>>>>
>>>> <p>Test</p>
>>>>
>>>> I tried
>>>> ${productContentWrapper.get("DESCRIPTION","html")
>>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>>>> ))
>>>>
>>>> For some reason it does print the text including the markup tags.
>>>>
>>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online:
>>>> did I miss something in the configuration.
>>>>
>>>> Thanks for any hint.
>>>> Best regards
>>>> Ingo
>>>>
>
Re: AW: AW: Render HTML markup in Freemarker
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks for feedback Ingo,
Did you define your own PERMISSIVE_POLICY or simply used the one I created?
I think I will anyway provide a base property to allow users using it without coding, with a comment to explain it can be modified
Jacques
Le 08/11/2015 12:39, Ingo Wolfmayr a écrit :
> Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting.
>
> Best regards,
> Ingo
>
> -----Ursprüngliche Nachricht-----
> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> Gesendet: Samstag, 7. November 2015 15:53
> An: user@ofbiz.apache.org
> Betreff: Re: AW: Render HTML markup in Freemarker
>
> I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669.
>
> HTH
>
> Jacques
>
> Le 07/11/2015 09:20, Jacques Le Roux a écrit :
>> Ingo,
>>
>> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
>>
>> As explained in OFBIZ-6669, contrary to what I did in ContentWorker
>> class, when I before did the work on *ContentWrapper classes I did not
>> use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle.
>>
>> When the encoderType is HTML, I now suggest we use the sanitizer in
>> *ContentWrapper classes For that I will enhance the UtilCodec class
>> (if people disagree a sanitizer should be there, I will create a new
>> UtilOwasp class)
>>
>> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description).
>> This is why content.sanitize property exists in content.properties. To
>> generalise, this property will need to be moved in the base config, I guess in an owasp.properties file.
>>
>> To be totally complete we should change *lines like* in
>> productsummary.ftl line 85 to use an HTML content wrapper. I mean
>> something like
>>
>> Index:
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> ===================================================================
>> ---
>> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
>> (revision 1712951)
>> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ft
>> +++ l (working copy)
>> @@ -63,6 +63,7 @@
>> <#assign prodCatMem = requestAttributes.productCategoryMember>
>> </#if>
>> <#assign smallImageUrl =
>> productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
>> + <#assign productDescription =
>> + productContentWrapper.get("DESCRIPTION", "html")>
>> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
>> <#-- end variable setup -->
>> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@
>> <img src="<@o...@ofbizContentUrl>" alt="Small Image"/><br />
>> ${uiLabelMap.ProductProductId} : ${product.productId!}<br />
>> ${uiLabelMap.ProductProductName} : ${product.productName!}<br />
>> - ${uiLabelMap.CommonDescription} : ${product.description!}
>> + ${uiLabelMap.CommonDescription} :
>> + ${productDescription!}
>> </td>
>> </tr>
>> </table>
>>
>> I hope I'm clear now, see my proposed patch at OFBIZ-6669
>>
>> Jacques
>>
>>
>> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
>>> Hi Jacques,
>>>
>>> thanks for the quick answer.
>>>
>>> Just for me to understand :) :
>>>
>>> I have the following content from DB: <p>Test</p> Shouldn't the
>>> sanatizer remove/sanatize tags that are not in the allow policy? So
>>> from my understanding with the example "<p>Test</p>" it should result
>>> in "" if the p-tag is not allowed. My result is that the whole tag is
>>> rendered as text with the markup-tag <p>
>>>
>>> Best regards,
>>> Ingo
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
>>> Gesendet: Freitag, 6. November 2015 16:32
>>> An: user@ofbiz.apache.org
>>> Betreff: Re: Render HTML markup in Freemarker
>>>
>>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>>>
>>> I see only one solution: use also the content.sanitize properties
>>> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded).
>>> This also means that you are then assuming your code is sensible to
>>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing.
>>>
>>> I will code that soon...
>>>
>>> Jacques
>>>
>>>
>>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>>>> Hi everybody,
>>>>
>>>> I am trying to display text content with embedded HTML markup tags:
>>>>
>>>> <p>Test</p>
>>>>
>>>> I tried
>>>> ${productContentWrapper.get("DESCRIPTION","html")
>>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>>>> ))
>>>>
>>>> For some reason it does print the text including the markup tags.
>>>>
>>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online:
>>>> did I miss something in the configuration.
>>>>
>>>> Thanks for any hint.
>>>> Best regards
>>>> Ingo
>>>>
>
AW: AW: Render HTML markup in Freemarker
Posted by Ingo Wolfmayr <in...@wolfix.at>.
Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I get the result I was expecting.
Best regards,
Ingo
-----Ursprüngliche Nachricht-----
Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
Gesendet: Samstag, 7. November 2015 15:53
An: user@ofbiz.apache.org
Betreff: Re: AW: Render HTML markup in Freemarker
I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669.
HTH
Jacques
Le 07/11/2015 09:20, Jacques Le Roux a écrit :
> Ingo,
>
> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
>
> As explained in OFBIZ-6669, contrary to what I did in ContentWorker
> class, when I before did the work on *ContentWrapper classes I did not
> use the sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought it was easier because of the URL encoderType to also handle.
>
> When the encoderType is HTML, I now suggest we use the sanitizer in
> *ContentWrapper classes For that I will enhance the UtilCodec class
> (if people disagree a sanitizer should be there, I will create a new
> UtilOwasp class)
>
> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description).
> This is why content.sanitize property exists in content.properties. To
> generalise, this property will need to be moved in the base config, I guess in an owasp.properties file.
>
> To be totally complete we should change *lines like* in
> productsummary.ftl line 85 to use an HTML content wrapper. I mean
> something like
>
> Index:
> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
> ===================================================================
> ---
> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
> (revision 1712951)
> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ft
> +++ l (working copy)
> @@ -63,6 +63,7 @@
> <#assign prodCatMem = requestAttributes.productCategoryMember>
> </#if>
> <#assign smallImageUrl =
> productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
> + <#assign productDescription =
> + productContentWrapper.get("DESCRIPTION", "html")>
> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
> <#-- end variable setup -->
> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@
> <img src="<@o...@ofbizContentUrl>" alt="Small Image"/><br />
> ${uiLabelMap.ProductProductId} : ${product.productId!}<br />
> ${uiLabelMap.ProductProductName} : ${product.productName!}<br />
> - ${uiLabelMap.CommonDescription} : ${product.description!}
> + ${uiLabelMap.CommonDescription} :
> + ${productDescription!}
> </td>
> </tr>
> </table>
>
> I hope I'm clear now, see my proposed patch at OFBIZ-6669
>
> Jacques
>
>
> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
>> Hi Jacques,
>>
>> thanks for the quick answer.
>>
>> Just for me to understand :) :
>>
>> I have the following content from DB: <p>Test</p> Shouldn't the
>> sanatizer remove/sanatize tags that are not in the allow policy? So
>> from my understanding with the example "<p>Test</p>" it should result
>> in "" if the p-tag is not allowed. My result is that the whole tag is
>> rendered as text with the markup-tag <p>
>>
>> Best regards,
>> Ingo
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
>> Gesendet: Freitag, 6. November 2015 16:32
>> An: user@ofbiz.apache.org
>> Betreff: Re: Render HTML markup in Freemarker
>>
>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>>
>> I see only one solution: use also the content.sanitize properties
>> from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded).
>> This also means that you are then assuming your code is sensible to
>> possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing.
>>
>> I will code that soon...
>>
>> Jacques
>>
>>
>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>>> Hi everybody,
>>>
>>> I am trying to display text content with embedded HTML markup tags:
>>>
>>> <p>Test</p>
>>>
>>> I tried
>>> ${productContentWrapper.get("DESCRIPTION","html")
>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>>> ))
>>>
>>> For some reason it does print the text including the markup tags.
>>>
>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online:
>>> did I miss something in the configuration.
>>>
>>> Thanks for any hint.
>>> Best regards
>>> Ingo
>>>
>>
>
Re: AW: Render HTML markup in Freemarker
Posted by Jacques Le Roux <ja...@les7arts.com>.
I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the content.properties, see my 2 last comments in OFBIZ-6669.
HTH
Jacques
Le 07/11/2015 09:20, Jacques Le Roux a écrit :
> Ingo,
>
> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
>
> As explained in OFBIZ-6669, contrary to what I did in ContentWorker class, when I before did the work on *ContentWrapper classes I did not use the
> sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind
> thought it was easier because of the URL encoderType to also handle.
>
> When the encoderType is HTML, I now suggest we use the sanitizer in *ContentWrapper classes For that I will enhance the UtilCodec class (if people
> disagree a sanitizer should be there, I will create a new UtilOwasp class)
>
> Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description).
> This is why content.sanitize property exists in content.properties. To generalise, this property will need to be moved in the base config, I guess
> in an owasp.properties file.
>
> To be totally complete we should change *lines like* in productsummary.ftl line 85 to use an HTML content wrapper. I mean something like
>
> Index: applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
> ===================================================================
> --- applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (revision 1712951)
> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (working copy)
> @@ -63,6 +63,7 @@
> <#assign prodCatMem = requestAttributes.productCategoryMember>
> </#if>
> <#assign smallImageUrl = productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
> + <#assign productDescription = productContentWrapper.get("DESCRIPTION", "html")>
> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
> <#-- end variable setup -->
> <#assign productInfoLinkId = "productInfoLink">
> @@ -82,7 +83,7 @@
> <img src="<@o...@ofbizContentUrl>" alt="Small Image"/><br />
> ${uiLabelMap.ProductProductId} : ${product.productId!}<br />
> ${uiLabelMap.ProductProductName} : ${product.productName!}<br />
> - ${uiLabelMap.CommonDescription} : ${product.description!}
> + ${uiLabelMap.CommonDescription} : ${productDescription!}
> </td>
> </tr>
> </table>
>
> I hope I'm clear now, see my proposed patch at OFBIZ-6669
>
> Jacques
>
>
> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
>> Hi Jacques,
>>
>> thanks for the quick answer.
>>
>> Just for me to understand :) :
>>
>> I have the following content from DB: <p>Test</p>
>> Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should
>> result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p>
>>
>> Best regards,
>> Ingo
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
>> Gesendet: Freitag, 6. November 2015 16:32
>> An: user@ofbiz.apache.org
>> Betreff: Re: Render HTML markup in Freemarker
>>
>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>>
>> I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes
>> (where the content is encoded).
>> This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this
>> flexibility to users, once they are aware of what they are doing.
>>
>> I will code that soon...
>>
>> Jacques
>>
>>
>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>>> Hi everybody,
>>>
>>> I am trying to display text content with embedded HTML markup tags:
>>>
>>> <p>Test</p>
>>>
>>> I tried
>>> ${productContentWrapper.get("DESCRIPTION","html")
>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>>> ))
>>>
>>> For some reason it does print the text including the markup tags.
>>>
>>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online:
>>> did I miss something in the configuration.
>>>
>>> Thanks for any hint.
>>> Best regards
>>> Ingo
>>>
>>
>
Re: AW: Render HTML markup in Freemarker
Posted by Jacques Le Roux <ja...@les7arts.com>.
Ingo,
Mmm, it's a bit more complex and unfortunately I mixed things in my (too) quick answer.
As explained in OFBIZ-6669, contrary to what I did in ContentWorker class, when I before did the work on *ContentWrapper classes I did not use the
sanitizer but only an encoder (either HTML or URL). Because I wrongly supposed that only plain text was used there and certainly my lazy mind thought
it was easier because of the URL encoderType to also handle.
When the encoderType is HTML, I now suggest we use the sanitizer in *ContentWrapper classes For that I will enhance the UtilCodec class (if people
disagree a sanitizer should be there, I will create a new UtilOwasp class)
Beware though about the sanitizer. I'm not sure why but it might still remove the ids and tags like "<center><table" (see OFBIZ-6669 description).
This is why content.sanitize property exists in content.properties. To generalise, this property will need to be moved in the base config, I guess in
an owasp.properties file.
To be totally complete we should change *lines like* in productsummary.ftl line 85 to use an HTML content wrapper. I mean something like
Index: applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
===================================================================
--- applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (revision 1712951)
+++ applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl (working copy)
@@ -63,6 +63,7 @@
<#assign prodCatMem = requestAttributes.productCategoryMember>
</#if>
<#assign smallImageUrl = productContentWrapper.get("SMALL_IMAGE_URL", "url")!>
+ <#assign productDescription = productContentWrapper.get("DESCRIPTION", "html")>
<#if !smallImageUrl?string?has_content><#assign smallImageUrl = "/images/defaultImage.jpg"></#if>
<#-- end variable setup -->
<#assign productInfoLinkId = "productInfoLink">
@@ -82,7 +83,7 @@
<img src="<@o...@ofbizContentUrl>" alt="Small Image"/><br />
${uiLabelMap.ProductProductId} : ${product.productId!}<br />
${uiLabelMap.ProductProductName} : ${product.productName!}<br />
- ${uiLabelMap.CommonDescription} : ${product.description!}
+ ${uiLabelMap.CommonDescription} : ${productDescription!}
</td>
</tr>
</table>
I hope I'm clear now, see my proposed patch at OFBIZ-6669
Jacques
Le 06/11/2015 20:19, Ingo Wolfmayr a écrit :
> Hi Jacques,
>
> thanks for the quick answer.
>
> Just for me to understand :) :
>
> I have the following content from DB: <p>Test</p>
> Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p>
>
> Best regards,
> Ingo
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> Gesendet: Freitag, 6. November 2015 16:32
> An: user@ofbiz.apache.org
> Betreff: Re: Render HTML markup in Freemarker
>
> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
>
> I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded).
> This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing.
>
> I will code that soon...
>
> Jacques
>
>
> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
>> Hi everybody,
>>
>> I am trying to display text content with embedded HTML markup tags:
>>
>> <p>Test</p>
>>
>> I tried
>> ${productContentWrapper.get("DESCRIPTION","html")
>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
>> ))
>>
>> For some reason it does print the text including the markup tags.
>>
>> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration.
>>
>> Thanks for any hint.
>> Best regards
>> Ingo
>>
>
AW: Render HTML markup in Freemarker
Posted by Ingo Wolfmayr <in...@wolfix.at>.
Hi Jacques,
thanks for the quick answer.
Just for me to understand :) :
I have the following content from DB: <p>Test</p>
Shouldn't the sanatizer remove/sanatize tags that are not in the allow policy? So from my understanding with the example "<p>Test</p>" it should result in "" if the p-tag is not allowed. My result is that the whole tag is rendered as text with the markup-tag <p>
Best regards,
Ingo
-----Ursprüngliche Nachricht-----
Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
Gesendet: Freitag, 6. November 2015 16:32
An: user@ofbiz.apache.org
Betreff: Re: Render HTML markup in Freemarker
This is due to https://issues.apache.org/jira/browse/OFBIZ-6669
I see only one solution: use also the content.sanitize properties from content.properties (here you want it false) in *ContentWrapper classes (where the content is encoded).
This also means that you are then assuming your code is sensible to possible (but unlikely) static XSS attacks. I agree we should give this flexibility to users, once they are aware of what they are doing.
I will code that soon...
Jacques
Le 06/11/2015 13:56, Ingo Wolfmayr a écrit :
> Hi everybody,
>
> I am trying to display text content with embedded HTML markup tags:
>
> <p>Test</p>
>
> I tried
> ${productContentWrapper.get("DESCRIPTION","html")
> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html"
> ))
>
> For some reason it does print the text including the markup tags.
>
> I use the most current trunk. I have some project running on 13.07 doing just the same - there it works fine. As I could not find anything online: did I miss something in the configuration.
>
> Thanks for any hint.
> Best regards
> Ingo
>