I don't see what the problem is.
Service A, foo parameter includes "alert(...);", that code is stripped
from foo parameter, then Service A invokes Service B with foo parameter,
Service B has a cleaned version of foo.
It's not that complicated.
Adrian Crum
Sandglass Software
www.sandglass-software.com
On 10/28/2013 5:48 AM, Jacques Le Roux wrote:
This was done by David and I believe he was right on this. See his comment at
http://svn.apache.org/viewvc?view=revision&revision=751990
If we want to handle safe we would need to treat direct services calls and
services calling other services differently
It would get overcomplicated and anyway I don't think we need that.
Jacques
Adrian Crum wrote:
Why don't we change it so allow-html="safe" does what it says - allow
only "safe" HTML?
Adrian Crum
Sandglass Software
www.sandglass-software.com
On 10/28/2013 12:44 AM, Jacques Le Roux wrote:
Hi,
I wonder if we should not backport in releases the changes I will do for
https://issues.apache.org/jira/browse/OFBIZ-5254?focusedCommentId=13806604
Though it's not a real bug, the reason to ask is because it disturbed much
people, even seasoned ones
http://markmail.org/message/zisndi3zwfmdkn2u
Opinions?
Jacques