Hi, While working on OFBIZ-11840 I thought about the solution I used for "[CVE-2020-1943] Apache OFBiz XSS Vulnerability"
So I tried that: diff --git framework/common/webcommon/WEB-INF/common-controller.xml framework/common/webcommon/WEB-INF/common-controller.xml index e6f9394cd4..9291cdbece 100644 --- framework/common/webcommon/WEB-INF/common-controller.xml +++ framework/common/webcommon/WEB-INF/common-controller.xml @@ -338,7 +338,7 @@ under the License. <!--========================== AJAX events =====================--> <!-- View Mappings --> - <view-map name="error" page="/error/error.jsp"/> + <view-map name="error" type="ftl" page="component://common/webcommon/error/Error.ftl"/> <view-map name="main" type="none"/> <view-map name="login" type="screen" page="component://common/widget/CommonScreens.xml#login"/> <view-map name="impersonated" type="screen" page="component://common/widget/CommonScreens.xml#impersonated"/> diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml framework/common/webcommon/WEB-INF/handlers-controller.xml index be21b19fd9..1622d10ead 100644 --- framework/common/webcommon/WEB-INF/handlers-controller.xml +++ framework/common/webcommon/WEB-INF/handlers-controller.xml @@ -42,4 +42,5 @@ under the License. <handler name="screenfop" type="view" class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/> <handler name="jsp" type="view" class="org.apache.ofbiz.webapp.view.JspViewHandler"/> <handler name="http" type="view" class="org.apache.ofbiz.webapp.view.HttpViewHandler"/> + <handler name="ftl" type="view" class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/> </site-conf> It does not fix the OFBIZ-11840 issue but it works. I mean it correctly replaces error.jsp by error.ftl. Few questions: 1. Why having the ftl handlers only in webtools controller? BTW it makes the XSD documentation awkward because it speaks about the ftl handlers being in handlers-controller.xml 2. Why not using error.ftl in common-controller.xml instead of error.jsp? 3. Same question for plugins. I believe we could change all that and definitely get rid of error.jsp (error.ftl is already in all supported releases branches) What do you think? Jacques