Re: svn commit: r742234 - in /ofbiz/trunk: applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ specialpurpose/webpos/webapp/webpos/includes/

Mon, 09 Feb 2009 00:38:24 -0800
No problem. I hope everyone's in favor of these painful changes I'm working on. They'll definitely have side effects and break things as we restrict various things, for the sake of security. 


Whatever the case, I'll be around to help pick up the pieces and  
resolve issues that I miss in testing based on these changes.



On a side note, I wish we had done this a LONG time ago as it would  
make things less painful with less code and functionality in the  
project. Oh well, better late than never. This is taking a lot longer  
to do than I thought, and I'm having to try all sorts of different  
things before finding things that are effective and don't break too  
much. In other words, I'm understanding better why no one else has  
taken the plunge for this yet... :( I only wish some end-user was  
willing to pay for this sort of thing, but I guess most business  
people get upset about security after the fact more than they get  
worried about it in advance.



Hopefully it doesn't screw up too much stuff and results in far  
cleaner and safer code... it seems to be heading in that direction at  
least.


-David


On Feb 9, 2009, at 1:09 AM, Jacques Le Roux wrote:


Thanks David,


I saw you have used such a solution for other cases. I should have  
thought about that


Jacques

From: <jone...@apache.org>

Author: jonesde
Date: Mon Feb  9 02:34:23 2009
New Revision: 742234

URL: http://svn.apache.org/viewvc?rev=742234&view=rev
Log:

Fixed issue with general html encoding of String objects in FTL  
files being applied to dynamic JavaScript from groovy files by  
leaving them as StringBuffers, ie just removing the toString calls


Modified:

  ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/InlineProductDetail.groovy
  ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/ProductDetail.groovy

  ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl


Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ 
actions/entry/catalog/InlineProductDetail.groovy

URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff

= 
= 
= 
= 
= 
= 
= 
= 
= 
=====================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/InlineProductDetail.groovy (original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/InlineProductDetail.groovy Mon Feb  9 02:34:23 2009

@@ -303,7 +303,7 @@
                   jsBuf.append(variantPriceJS.toString());
                   jsBuf.append("</script>");

-                    context.virtualJavaScript = jsBuf.toString();
+                    context.virtualJavaScript = jsBuf;
               }
           }
       }


Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/ 
actions/entry/catalog/ProductDetail.groovy

URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=742234&r1=742233&r2=742234&view=diff

= 
= 
= 
= 
= 
= 
= 
= 
= 
=====================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/ProductDetail.groovy (original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/ 
entry/catalog/ProductDetail.groovy Mon Feb  9 02:34:23 2009

@@ -375,7 +375,7 @@
                   jsBuf.append(variantPriceJS.toString());
                   jsBuf.append("</script>");

-                    context.virtualJavaScript = jsBuf.toString();
+                    context.virtualJavaScript = jsBuf;
               }
           }
       }


Modified: ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ 
Header.ftl

URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/Header.ftl?rev=742234&r1=742233&r2=742234&view=diff

= 
= 
= 
= 
= 
= 
= 
= 
= 
=====================================================================
--- ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ 
Header.ftl (original)
+++ ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ 
Header.ftl Mon Feb  9 02:34:23 2009

@@ -37,7 +37,6 @@

           <link rel="stylesheet" href="<@ofbizContentUrl>$ 
{styleSheet}</@ofbizContentUrl>" type="text/css"/>

       </#list>
   </#if>
-    ${layoutSettings?if_exists.extraHead?if_exists}

   <#-- Append CSS for catalog -->
   <#if catalogStyleSheet?exists>



























					Reply via email to