This seems more like a discussion than relevant to the closed issue,
so replying to the dev list:
On Feb 14, 2009, at 1:13 AM, Ashish Nagar (JIRA) wrote:
[ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673478
#action_12673478 ]
Ashish Nagar commented on OFBIZ-2189:
-------------------------------------
Thanks David for providing fix for this issue.But i still have some
doubts on that statement of StringUtil.java,
// check for "<", ">"
if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {
Some things i found are :
1) Same condition is checked on both sides of OR.(I hope second
condition should be a check for ">" sign)
Yes, good catch! That is fixed in SVN rev 744420.
2) Now anyone can put Entity Engine XML documents without bothering
the syntax of initial tag <entity-engine-xml>, instead he can start
with "><entity-engine-xml>".
Actually, the services now have the allow-html="any" set, so either
one will pass through fine.
Before that was set neither would pass through because with the ">="
it will look for the character anywhere in the string (ie the first
character doesn't matter).
3) Admin user can put any type of text(other than XML docs) inside
the enclosing tags <entity-engine-xml> & can click on import text
button.(There should be error message asking to put XML tags)
I'm not sure what you mean by this, could you elaborate... perhaps
with some examples?
However i wonder as this condition "if (value.indexOf("<") >= 0 ||
value.indexOf("<") >= 0) {" will check the initial occurrence of "<"
in the given text.But what i found is in StringUtil.java the value
object does not contain the text value imported.So the
value.indexOf("<") always evaluates to -1. So the input value is not
validated upon these symbols.
Maybe you should look closer, it sounds like you might have been
looking at it processing a different String than the one you thought
it was.
-David
