[jira] Commented: (OFBIZ-2645) allow-html in service validation is too restrictive

Sun, 21 Jun 2009 20:30:43 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12722465#action_12722465
 ] 

Harmeet Bedi commented on OFBIZ-2645:
-------------------------------------

Wondering if one should sanitize on the display side to address security 
issueWould similar to 'gettext' from dom may do that ?. 
i feel system should take the input the user desires to input and render what 
is safe. 
I think there is single point on the renderer side ModelFormField:getEntry 
where the security santization could be applied.
This would also allows allows improvements on the rendering side to be made or 
new types of renderers added. e.g we(www.emforium.com) have a gwt based 
renderer that works well with html.(would like to contribute if i figure out 
how)

allow-html='safe' seems nicer than 'none' from functionality pov.. but not sure 
how safe or how efficient. ofbiz has cms aspects.. input restrictions could 
impede making cms aspects richer. if 'safe' seems acceptable.. please do make 
the change and i will test it. personally prefer 'none' and santize on 
rendering side... can make patches for rendering side if you want me to do that.


> allow-html in service validation is too restrictive
> ---------------------------------------------------
>
>                 Key: OFBIZ-2645
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2645
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Harmeet Bedi
>             Fix For: SVN trunk
>
>         Attachments: allow-html.diff
>
>
> Service 'IN' parameters are validated. Default is allow-html='none'
> This filters out all the html chars. e.g one cannot set this text "Tom's age 
> is likely > Paul's age"
> '>' is not allowed
> Rederers already escape html, so it may be best to keep validation 
> alllow-html='any'. If service has a need to constrain, service should specify 
> allow-html explicitly.
> Attaching patch. Please let me if this does not make sense.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to