[ https://issues.apache.org/jira/browse/OFBIZ-4316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13053375#comment-13053375 ]
BJ Freeman commented on OFBIZ-4316: ----------------------------------- thanks for the clarification. however for formus I run they are moderated. so malicious html/js content is not possible. I do understand that ofbiz must go for worst case. > Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error > -------------------------------------------------------------------------- > > Key: OFBIZ-4316 > URL: https://issues.apache.org/jira/browse/OFBIZ-4316 > Project: OFBiz > Issue Type: Bug > Components: content, framework, specialpurpose/ecommerce > Affects Versions: SVN trunk > Reporter: BJ Freeman > Labels: html, rendering, widget > Fix For: SVN trunk > > > from the ForumScreens.xml#ViewForumMessage > {code} > <container style="forumtext"> > <label>${contentText}</label> > {code} > show escaped html > {code} > * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate > programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a > class="postlink" > href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo > Marketing</a> > {code} > replacing > {code}<label>${contentText}</label>{code} > with > {code}${StringUtil.wrapString(contentText).toString()}{code} > give this error > 2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR] > XmlFileLoader: File > file:specialpurpose/ecommerce/widget/ForumScreens.xml > process error. Line: 151. Error message: cvc-complex-type.2.3: Element > 'condition' cannot have character [children], because the type's content > type is element-only. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira