Hi Jacques, Deepak,
we could add the method that Deepak is proposing, for backward
compatibility, with a deprecation warning and plan for removing it before
we create our next release branch.
Jacopo
On Mon, Oct 12, 2015 at 11:50 PM, Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
> Hi Deepak,
>
> Thanks for the interest. I had exactly the same idea initially. There are
> indeed 600+ "'html" cases vs 80+ "url" ones.
>
> But then I thought that some people will maybe not notice the difference
> and will always use the shorten version (the "html" one). Because it's
> about security (low one fortunately) I decided to not go that way.
>
> This said, I'm not against it, simply it should be discussed ;)
>
> Also I did not backport (yet) to older releases than R14, but this should
> be considered indeed. You can never be sure someone is not able to inject
> some SQL somehow to create a static XSS exploit :/
>
> Cheers
>
> Jacques
>
>
>
>
> Le 12/10/2015 09:25, Deepak Dixit a écrit :
>
>> Hi Jacques,
>>
>> I think we fixed all these ContentWrapper* code in trunk code base, but
>> it
>> will affect lot of custom code as well.
>> So IMO we have to maintain backward compatibility as well.
>>
>> Can we add an get method that will use the default encoding as html?
>>
>> As we generally used ContentWrapper to render the Content (generally
>> html/text) so we can add get method with default encoding as html e.g.
>>
>> {code}
>> public String get(String contentTypeId) {
>> return get (contentTypeId, "html")
>> }
>> {code}
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwaxsystems.com
>>
>> On Sat, Oct 10, 2015 at 4:08 PM, <jler...@apache.org
>> <javascript:_e(%7B%7D,'cvml','jler...@apache.org');>> wrote:
>>
>> Author: jleroux
>>> Date: Sat Oct 10 10:38:49 2015
>>> New Revision: 1707857
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1707857&view=rev
>>> Log:
>>> Fixes "ecommerce screen exception"
>>> https://issues.apache.org/jira/browse/OFBIZ-6665 reported by Wai
>>>
>>> I missed this hidden ProductConfigItemContentWrapper class while working
>>> on r1705329 and sequels. I checked there are no other *ContentWrapper
>>> classes left now.
>>>
>>> Modified:
>>>
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigItemContentWrapper.java
>>>
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigWrapper.java
>>>
>>>
>>> ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/catalog/configproductdetail.ftl
>>>
>>> Modified:
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigItemContentWrapper.java
>>> URL:
>>>
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigItemContentWrapper.java?rev=1707857&r1=1707856&r2=1707857&view=diff
>>>
>>>
>>> ==============================================================================
>>> ---
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigItemContentWrapper.java
>>> (original)
>>> +++
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigItemContentWrapper.java
>>> Sat Oct 10 10:38:49 2015
>>> @@ -22,7 +22,6 @@ import java.io.IOException;
>>> import java.io.StringWriter;
>>> import java.io.Writer;
>>> import java.util.HashMap;
>>> -import java.util.List;
>>> import java.util.Locale;
>>> import java.util.Map;
>>>
>>> @@ -30,9 +29,13 @@ import javax.servlet.http.HttpServletReq
>>>
>>> import org.ofbiz.base.util.Debug;
>>> import org.ofbiz.base.util.GeneralException;
>>> +import org.ofbiz.base.util.StringUtil;
>>> +import org.ofbiz.base.util.StringUtil.StringWrapper;
>>> +import org.ofbiz.base.util.UtilCodec;
>>> import org.ofbiz.base.util.UtilHttp;
>>> import org.ofbiz.base.util.UtilValidate;
>>> import org.ofbiz.content.content.ContentWorker;
>>> +import org.ofbiz.content.content.ContentWrapper;
>>> import org.ofbiz.entity.Delegator;
>>> import org.ofbiz.entity.DelegatorFactory;
>>> import org.ofbiz.entity.GenericValue;
>>> @@ -46,7 +49,7 @@ import org.ofbiz.service.ServiceContaine
>>> * Product Config Item Content Worker: gets product content to display
>>> */
>>> @SuppressWarnings("serial")
>>> -public class ProductConfigItemContentWrapper implements
>>> java.io.Serializable {
>>> +public class ProductConfigItemContentWrapper implements ContentWrapper {
>>>
>>> public static final String module =
>>> ProductConfigItemContentWrapper.class.getName();
>>>
>>> @@ -83,8 +86,8 @@ public class ProductConfigItemContentWra
>>> this.mimeTypeId = "text/html";
>>> }
>>>
>>> - public String get(String confItemContentTypeId) {
>>> - return getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, locale, mimeTypeId, getDelegator(),
>>> getDispatcher());
>>> + public StringWrapper get(String confItemContentTypeId, String
>>> encoderType) {
>>> + return
>>>
>>> StringUtil.makeStringWrapper(getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, locale, mimeTypeId, getDelegator(),
>>> getDispatcher(),
>>> encoderType));
>>> }
>>>
>>> public Delegator getDelegator() {
>>> @@ -101,32 +104,36 @@ public class ProductConfigItemContentWra
>>> return dispatcher;
>>> }
>>>
>>> - public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, HttpServletRequest
>>> request) {
>>> + public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, HttpServletRequest
>>> request, String encoderType) {
>>> LocalDispatcher dispatcher = (LocalDispatcher)
>>> request.getAttribute("dispatcher");
>>> - return getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, UtilHttp.getLocale(request), "text/html",
>>> productConfigItem.getDelegator(), dispatcher);
>>> + return getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, UtilHttp.getLocale(request), "text/html",
>>> productConfigItem.getDelegator(), dispatcher, encoderType);
>>> }
>>>
>>> - public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, Locale locale,
>>> LocalDispatcher dispatcher) {
>>> - return getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, locale, null, null, dispatcher);
>>> + public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, Locale locale,
>>> LocalDispatcher dispatcher, String encoderType) {
>>> + return getProductConfigItemContentAsText(productConfigItem,
>>> confItemContentTypeId, locale, null, null, dispatcher, encoderType);
>>> }
>>>
>>> - public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, Locale locale, String
>>> mimeTypeId, Delegator delegator, LocalDispatcher dispatcher) {
>>> + public static String getProductConfigItemContentAsText(GenericValue
>>> productConfigItem, String confItemContentTypeId, Locale locale, String
>>> mimeTypeId, Delegator delegator, LocalDispatcher dispatcher, String
>>> encoderType) {
>>> + UtilCodec.SimpleEncoder encoder =
>>> UtilCodec.getEncoder(encoderType);
>>> String candidateFieldName =
>>> ModelUtil.dbNameToVarName(confItemContentTypeId);
>>> try {
>>> Writer outWriter = new StringWriter();
>>> getProductConfigItemContentAsText(null, productConfigItem,
>>> confItemContentTypeId, locale, mimeTypeId, delegator, dispatcher,
>>> outWriter);
>>> String outString = outWriter.toString();
>>> if (outString.length() > 0) {
>>> - return outString;
>>> + return encoder.encode(outString);
>>> } else {
>>> - return null;
>>> + String candidateOut =
>>> productConfigItem.getModelEntity().isField(candidateFieldName) ?
>>> productConfigItem.getString(candidateFieldName): "";
>>> + return candidateOut == null? "" :
>>> encoder.encode(candidateOut);
>>> }
>>> } catch (GeneralException e) {
>>> Debug.logError(e, "Error rendering ProdConfItemContent,
>>> inserting empty String", module);
>>> - return productConfigItem.getString(candidateFieldName);
>>> + String candidateOut =
>>> productConfigItem.getModelEntity().isField(candidateFieldName) ?
>>> productConfigItem.getString(candidateFieldName): "";
>>> + return candidateOut == null? "" :
>>> encoder.encode(candidateOut);
>>> } catch (IOException e) {
>>> Debug.logError(e, "Error rendering ProdConfItemContent,
>>> inserting empty String", module);
>>> - return productConfigItem.getString(candidateFieldName);
>>> + String candidateOut =
>>> productConfigItem.getModelEntity().isField(candidateFieldName) ?
>>> productConfigItem.getString(candidateFieldName): "";
>>> + return candidateOut == null? "" :
>>> encoder.encode(candidateOut);
>>> }
>>> }
>>>
>>>
>>> Modified:
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigWrapper.java
>>> URL:
>>>
>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigWrapper.java?rev=1707857&r1=1707856&r2=1707857&view=diff
>>>
>>>
>>> ==============================================================================
>>> ---
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigWrapper.java
>>> (original)
>>> +++
>>>
>>> ofbiz/trunk/applications/product/src/org/ofbiz/product/config/ProductConfigWrapper.java
>>> Sat Oct 10 10:38:49 2015
>>> @@ -458,7 +458,7 @@ public class ProductConfigWrapper implem
>>> question = configItemAssoc.getString("description");
>>> } else {
>>> if (content != null) {
>>> - question = content.get("DESCRIPTION");
>>> + question = content.get("DESCRIPTION",
>>> "html").toString();
>>> } else {
>>> question = (configItem.getString("description") !=
>>> null? configItem.getString("description"): "");
>>> }
>>> @@ -472,7 +472,7 @@ public class ProductConfigWrapper implem
>>> description =
>>> configItemAssoc.getString("longDescription");
>>> } else {
>>> if (content != null) {
>>> - description = content.get("LONG_DESCRIPTION");
>>> + description = content.get("LONG_DESCRIPTION",
>>> "html").toString();
>>> } else {
>>> description =
>>> (configItem.getString("longDescription") != null?
>>> configItem.getString("longDescription"): "");
>>> }
>>> @@ -665,7 +665,7 @@ public class ProductConfigWrapper implem
>>> }
>>>
>>> public String getOptionName(Locale locale) {
>>> -
>>> +
>>> return (configOption.getString("configOptionName") != null?
>>> (String) configOption.get("configOptionName", locale): "no option name");
>>> }
>>>
>>>
>>> Modified:
>>>
>>> ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/catalog/configproductdetail.ftl
>>> URL:
>>>
>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/catalog/configproductdetail.ftl?rev=1707857&r1=1707856&r2=1707857&view=diff
>>>
>>>
>>> ==============================================================================
>>> ---
>>>
>>> ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/catalog/configproductdetail.ftl
>>> (original)
>>> +++
>>>
>>> ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/catalog/configproductdetail.ftl
>>> Sat Oct 10 10:38:49 2015
>>> @@ -456,8 +456,8 @@ function getConfigDetails(event) {
>>> <div>${question.question}</div>
>>> <#if question.isFirst()>
>>> <a
>>> name='#${question.getConfigItem().getString("configItemId")}'></a>
>>> - <div>${question.description!}</div>
>>> - <#assign instructions =
>>> question.content.get("INSTRUCTIONS")!>
>>> +
>>> <div>${StringUtil.wrapString(question.description!)}</div>
>>> + <#assign instructions =
>>> question.content.get("INSTRUCTIONS", "html")!>
>>> <#if instructions?has_content>
>>> <a
>>>
>>> href="javascript:showErrorAlert("${uiLabelMap.CommonErrorMessage2}","${instructions}");"
>>> class="buttontext">Instructions</a>
>>> </#if>
>>>
>>>
>>>
>>>
>>
