[ https://issues.apache.org/jira/browse/OFBIZ-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722465#action_12722465 ]
Harmeet Bedi commented on OFBIZ-2645: ------------------------------------- Wondering if one should sanitize on the display side to address security issueWould similar to 'gettext' from dom may do that ?. i feel system should take the input the user desires to input and render what is safe. I think there is single point on the renderer side ModelFormField:getEntry where the security santization could be applied. This would also allows allows improvements on the rendering side to be made or new types of renderers added. e.g we(www.emforium.com) have a gwt based renderer that works well with html.(would like to contribute if i figure out how) allow-html='safe' seems nicer than 'none' from functionality pov.. but not sure how safe or how efficient. ofbiz has cms aspects.. input restrictions could impede making cms aspects richer. if 'safe' seems acceptable.. please do make the change and i will test it. personally prefer 'none' and santize on rendering side... can make patches for rendering side if you want me to do that. > allow-html in service validation is too restrictive > --------------------------------------------------- > > Key: OFBIZ-2645 > URL: https://issues.apache.org/jira/browse/OFBIZ-2645 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Harmeet Bedi > Fix For: SVN trunk > > Attachments: allow-html.diff > > > Service 'IN' parameters are validated. Default is allow-html='none' > This filters out all the html chars. e.g one cannot set this text "Tom's age > is likely > Paul's age" > '>' is not allowed > Rederers already escape html, so it may be best to keep validation > alllow-html='any'. If service has a need to constrain, service should specify > allow-html explicitly. > Attaching patch. Please let me if this does not make sense. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.