Thanks David for your reply.Please see my comments inline:
David E Jones wrote:
This seems more like a discussion than relevant to the closed issue,
so replying to the dev list:
On Feb 14, 2009, at 1:13 AM, Ashish Nagar (JIRA) wrote:
[
https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673478#action_12673478
]
Ashish Nagar commented on OFBIZ-2189:
-------------------------------------
Thanks David for providing fix for this issue.But i still have some
doubts on that statement of StringUtil.java,
// check for "<", ">"
if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {
Some things i found are :
1) Same condition is checked on both sides of OR.(I hope second
condition should be a check for ">" sign)
Yes, good catch! That is fixed in SVN rev 744420.
/Thanks David./
2) Now anyone can put Entity Engine XML documents without bothering
the syntax of initial tag <entity-engine-xml>, instead he can start
with "><entity-engine-xml>".
Actually, the services now have the allow-html="any" set, so either
one will pass through fine.
Before that was set neither would pass through because with the ">="
it will look for the character anywhere in the string (ie the first
character doesn't matter).
/Thanks , but i suppose there should be more strictness towards the
syntaxes to be followed./
3) Admin user can put any type of text(other than XML docs) inside
the enclosing tags <entity-engine-xml> & can click on import text
button.(There should be error message asking to put XML tags)
I'm not sure what you mean by this, could you elaborate... perhaps
with some examples?
/Like if i put <Party partyId="admin" partyTypeId="PERSON"/>
(syntactically correct) inside the enclosing entity-engine tags will be
fine.But if i put any other text like "a,b,c,d....Blah blah" inside
these tags should not be admitted.I think its too because of the reason
you explained in point 2.But this should be again validated against
syntaxes./
However i wonder as this condition "if (value.indexOf("<") >= 0 ||
value.indexOf("<") >= 0) {" will check the initial occurrence of "<"
in the given text.But what i found is in StringUtil.java the value
object does not contain the text value imported.So the
value.indexOf("<") always evaluates to -1. So the input value is not
validated upon these symbols.
Maybe you should look closer, it sounds like you might have been
looking at it processing a different String than the one you thought
it was.
/I think the text that is passed while importing the XML-text is not
getting set inside the "value" object in StringUtil class.So there is no
chance to validate this data imported.I tried to get the value of
"/value.indexOf("<")/" & found it to be equal to -1 always,for whatever
the tags are passed./
-David
-Ashish Nagar
