ofbiz REST error messages, was: REST, how about 'Login' map

2020-10-01 Thread Hans Bakker

Hi Girish,

again thanks for your help.

I updated my version here, and show the flutter Dio error messages 
better as explained at:

https://pub.dev/packages/dio#handling-errors

and now these error messages are received properly,

Thanks again,

Regards,
Hans Bakker
antwebsystems.com

On 10/2/20 8:25 AM, Girish Vasmatkar wrote:

Hi Hans, if service is returning an error, it should get converted into a
422.

I took your getCompanies service example from your plugin and modified the
service as below

def getCompanies() {
 Map result = success()
 logInfo("service starting with ${parameters.input}")
 result.companies = parameters.input
 return error("this is the error message")
}

And accessed it like

https://localhost:8443/rest
/services/getCompanies?inParams=%7B%0A%20%20%22input%22%3A%20%22string%22%0A%7D

And it returned below error. I had cleaned up some code and added
additional handling yesterday, so might be possible you don't have those
changes. Pl sync once and give it a try again.

{

 "statusCode": 422,

 "statusDescription": *"Unprocessable Entity"*,

 "errorType": *"ServiceError"*,

 "errorMessage": *"getCompanies returned error. The request contained
invalid information and could not be processed."*,

 "errorDescription": *"this is the error message"*

}

Let me know if it still does not work for you and additionally provide your
service def for me to take a more closer look.

Best,
Girish








On Fri, Oct 2, 2020 at 6:07 AM Hans Bakker 
wrote:


Hi Girish,

thanks for the explanation, however if i create a last statement in a
groovy service:
return error("this is the error message")

then i get an error 500 returned, however not showing the error message of
the service.

Regards,

Hans
On 10/2/20 12:14 AM, Girish Vasmatkar wrote:

Thanks Hans.

The error codes are broadly categorized in three types based on what ofbiz
is generating during service call -

1. 400 Bad Request = if ServiceValidationException is thrown. This
indicates client error and client must make amends to the request. Example,
service's required IN parameter were missing in the JSON body.
2. 422 Unprocessable Entity = if GenericEntityException is thrown. This
also indicates client error but also indicates that the request was
syntactically correct but semantically wrong. Example - while creating a
product, *productTypeId* was provided in the request, but it didn't
exist. This indicates client error again, but the json was not malformed.
3. 404 NotFoundException = if service being invoked does not exist, or is
not declared export=true, or action attribute is not defined.
4. 500 Internal Server Error = Any other category of exception that might
be thrown from the service.

In all three cases, appropriate error messages from the original exception
should be included in the error response.

Best,
Girish






On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker 
wrote:


Hi Girish,

yes userLogin is working fine now,

further i see you are working on the error messages?
would be nice to get the ofbiz error message together with the error code
500?

keep up the good work, it is getting better and better!

Regards,

Hans
On 10/1/20 10:49 AM, Girish Vasmatkar wrote:

Hi Hans,

This is now implemented/fixed with commit8545cfe

  .

Best,
Girish
HotWax Systems


On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
wrote:


Hi Girish, thanks for your prompt reply,

the login map need to be filled when the related token is available,
what is currently not the case.

Not sure if this is directly related to the Auth=false parameter, you
know that better,

Regards, Hans
On 9/29/20 4:20 PM, Girish Vasmatkar wrote:

Hi Hans

Since you specifically mentioned about groovy service, I would think it
is true for other services as well.

It would possibly be happening, if the service itself is declared with
auth=false, so no token check is happening and hence userLogin is not
retrieved from the token.
Can you confirm if this is the case? The userLogin is added to the
service call before delegating the service call to dispatcher after jwt has
been verified. But in case of auth=false, services, auth is bypassed and
hence userLogin is not set.

I guess the key here is to bypass token validation if, and only if, the
Authorization header is absent, otherwise perform validation. I had a
discussion about this with Jacopo as well and here is what can be done
(applicable for */services *endpoint ) -

If auth=false and *Authorization* header is *present*, validate token
and return error if invalid. Else set userLogin in context and delegate the
call to dispatcher.
If auth=false and *Authorization* header is *absent, *just call the
service. The service will be executed *without* userLogin in context.

I will try to work on this change in the next couple days.

Best,
Girish
HotWax Systems











Best,
Girish
HotWax Systems








On Tue, Sep 

Re: REST, how about 'Login' map

2020-10-01 Thread Girish Vasmatkar
Hi Hans, if service is returning an error, it should get converted into a
422.

I took your getCompanies service example from your plugin and modified the
service as below

def getCompanies() {
Map result = success()
logInfo("service starting with ${parameters.input}")
result.companies = parameters.input
return error("this is the error message")
}

And accessed it like

https://localhost:8443/rest
/services/getCompanies?inParams=%7B%0A%20%20%22input%22%3A%20%22string%22%0A%7D

And it returned below error. I had cleaned up some code and added
additional handling yesterday, so might be possible you don't have those
changes. Pl sync once and give it a try again.

{

"statusCode": 422,

"statusDescription": *"Unprocessable Entity"*,

"errorType": *"ServiceError"*,

"errorMessage": *"getCompanies returned error. The request contained
invalid information and could not be processed."*,

"errorDescription": *"this is the error message"*

}

Let me know if it still does not work for you and additionally provide your
service def for me to take a more closer look.

Best,
Girish








On Fri, Oct 2, 2020 at 6:07 AM Hans Bakker 
wrote:

> Hi Girish,
>
> thanks for the explanation, however if i create a last statement in a
> groovy service:
> return error("this is the error message")
>
> then i get an error 500 returned, however not showing the error message of
> the service.
>
> Regards,
>
> Hans
> On 10/2/20 12:14 AM, Girish Vasmatkar wrote:
>
> Thanks Hans.
>
> The error codes are broadly categorized in three types based on what ofbiz
> is generating during service call -
>
> 1. 400 Bad Request = if ServiceValidationException is thrown. This
> indicates client error and client must make amends to the request. Example,
> service's required IN parameter were missing in the JSON body.
> 2. 422 Unprocessable Entity = if GenericEntityException is thrown. This
> also indicates client error but also indicates that the request was
> syntactically correct but semantically wrong. Example - while creating a
> product, *productTypeId* was provided in the request, but it didn't
> exist. This indicates client error again, but the json was not malformed.
> 3. 404 NotFoundException = if service being invoked does not exist, or is
> not declared export=true, or action attribute is not defined.
> 4. 500 Internal Server Error = Any other category of exception that might
> be thrown from the service.
>
> In all three cases, appropriate error messages from the original exception
> should be included in the error response.
>
> Best,
> Girish
>
>
>
>
>
>
> On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker 
> wrote:
>
>> Hi Girish,
>>
>> yes userLogin is working fine now,
>>
>> further i see you are working on the error messages?
>> would be nice to get the ofbiz error message together with the error code
>> 500?
>>
>> keep up the good work, it is getting better and better!
>>
>> Regards,
>>
>> Hans
>> On 10/1/20 10:49 AM, Girish Vasmatkar wrote:
>>
>> Hi Hans,
>>
>> This is now implemented/fixed with commit8545cfe
>> 
>>  .
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>> On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
>> wrote:
>>
>>> Hi Girish, thanks for your prompt reply,
>>>
>>> the login map need to be filled when the related token is available,
>>> what is currently not the case.
>>>
>>> Not sure if this is directly related to the Auth=false parameter, you
>>> know that better,
>>>
>>> Regards, Hans
>>> On 9/29/20 4:20 PM, Girish Vasmatkar wrote:
>>>
>>> Hi Hans
>>>
>>> Since you specifically mentioned about groovy service, I would think it
>>> is true for other services as well.
>>>
>>> It would possibly be happening, if the service itself is declared with
>>> auth=false, so no token check is happening and hence userLogin is not
>>> retrieved from the token.
>>> Can you confirm if this is the case? The userLogin is added to the
>>> service call before delegating the service call to dispatcher after jwt has
>>> been verified. But in case of auth=false, services, auth is bypassed and
>>> hence userLogin is not set.
>>>
>>> I guess the key here is to bypass token validation if, and only if, the
>>> Authorization header is absent, otherwise perform validation. I had a
>>> discussion about this with Jacopo as well and here is what can be done
>>> (applicable for */services *endpoint ) -
>>>
>>> If auth=false and *Authorization* header is *present*, validate token
>>> and return error if invalid. Else set userLogin in context and delegate the
>>> call to dispatcher.
>>> If auth=false and *Authorization* header is *absent, *just call the
>>> service. The service will be executed *without* userLogin in context.
>>>
>>> I will try to work on this change in the next couple days.
>>>
>>> Best,
>>> Girish
>>> HotWax Systems
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Best,
>>> Girish
>>> HotWax Systems
>>>
>>>
>>>
>>>
>>>

Re: REST, how about 'Login' map

2020-10-01 Thread Hans Bakker

Hi Girish,

thanks for the explanation, however if i create a last statement in a 
groovy service:

return error("this is the error message")

then i get an error 500 returned, however not showing the error message 
of the service.


Regards,

Hans

On 10/2/20 12:14 AM, Girish Vasmatkar wrote:

Thanks Hans.

The error codes are broadly categorized in three types based on what 
ofbiz is generating during service call -


1. 400 Bad Request = if ServiceValidationException is thrown. This 
indicates client error and client must make amends to the request. 
Example, service's required IN parameter were missing in the JSON body.
2. 422 Unprocessable Entity = if GenericEntityException is thrown. 
This also indicates client error but also indicates that the request 
was syntactically correct but semantically wrong. Example - while 
creating a product, *productTypeId* was provided in the request, but 
it didn't exist. This indicates client error again, but the json was 
not malformed.
3. 404 NotFoundException = if service being invoked does not exist, or 
is not declared export=true, or action attribute is not defined.
4. 500 Internal Server Error = Any other category of exception that 
might be thrown from the service.


In all three cases, appropriate error messages from the original 
exception should be included in the error response.


Best,
Girish






On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker > wrote:


Hi Girish,

yes userLogin is working fine now,

further i see you are working on the error messages?
would be nice to get the ofbiz error message together with the
error code 500?

keep up the good work, it is getting better and better!

Regards,

Hans

On 10/1/20 10:49 AM, Girish Vasmatkar wrote:

Hi Hans,

This is now implemented/fixed with commit8545cfe


 .


Best,
Girish
HotWax Systems


On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker
mailto:h.bak...@antwebsystems.com>>
wrote:

Hi Girish, thanks for your prompt reply,

the login map need to be filled when the related token is
available, what is currently not the case.

Not sure if this is directly related to the Auth=false
parameter, you know that better,

Regards, Hans

On 9/29/20 4:20 PM, Girish Vasmatkar wrote:

Hi Hans

Since you specifically mentioned about groovy service, I
would think it is true for other services as well.

It would possibly be happening, if the service itself is
declared with auth=false, so no token check is happening and
hence userLogin is not retrieved from the token.
Can you confirm if this is the case? The userLogin is added
to the service call before delegating the service call to
dispatcher after jwt has been verified. But in case of
auth=false, services, auth is bypassed and hence userLogin
is not set.

I guess the key here is to bypass token validation if, and
only if, the Authorization header is absent, otherwise
perform validation. I had a discussion about this with
Jacopo as well and here is what can be done (applicable for
*/services *endpoint ) -

If auth=false and *Authorization* header is */present/*,
validate token and return error if invalid. Else set
userLogin in context and delegate the call to dispatcher.
If auth=false and *Authorization* header is *absent, *just
call the service. The service will be executed */without/*
userLogin in context.

I will try to work on this change in the next couple days.

Best,
Girish
HotWax Systems











Best,
Girish
HotWax Systems








On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker
mailto:h.bak...@antwebsystems.com>> wrote:

Hi Girish,

thanks for your last email, that is working now too

howeveranother question,

If i call a service using the token i obtained earlier,
i see that the
userLogin map in the groovy service I called, is null

can you set the login map to the userLogin of the token
that was used so
we know who the user is?

Thanks, Hans




Re: REST, how about 'Login' map

2020-10-01 Thread Girish Vasmatkar
Thanks Hans.

The error codes are broadly categorized in three types based on what ofbiz
is generating during service call -

1. 400 Bad Request = if ServiceValidationException is thrown. This
indicates client error and client must make amends to the request. Example,
service's required IN parameter were missing in the JSON body.
2. 422 Unprocessable Entity = if GenericEntityException is thrown. This
also indicates client error but also indicates that the request was
syntactically correct but semantically wrong. Example - while creating a
product, *productTypeId* was provided in the request, but it didn't exist.
This indicates client error again, but the json was not malformed.
3. 404 NotFoundException = if service being invoked does not exist, or is
not declared export=true, or action attribute is not defined.
4. 500 Internal Server Error = Any other category of exception that might
be thrown from the service.

In all three cases, appropriate error messages from the original exception
should be included in the error response.

Best,
Girish






On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker 
wrote:

> Hi Girish,
>
> yes userLogin is working fine now,
>
> further i see you are working on the error messages?
> would be nice to get the ofbiz error message together with the error code
> 500?
>
> keep up the good work, it is getting better and better!
>
> Regards,
>
> Hans
> On 10/1/20 10:49 AM, Girish Vasmatkar wrote:
>
> Hi Hans,
>
> This is now implemented/fixed with commit8545cfe
> 
>  .
>
> Best,
> Girish
> HotWax Systems
>
>
> On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
> wrote:
>
>> Hi Girish, thanks for your prompt reply,
>>
>> the login map need to be filled when the related token is available, what
>> is currently not the case.
>>
>> Not sure if this is directly related to the Auth=false parameter, you
>> know that better,
>>
>> Regards, Hans
>> On 9/29/20 4:20 PM, Girish Vasmatkar wrote:
>>
>> Hi Hans
>>
>> Since you specifically mentioned about groovy service, I would think it
>> is true for other services as well.
>>
>> It would possibly be happening, if the service itself is declared with
>> auth=false, so no token check is happening and hence userLogin is not
>> retrieved from the token.
>> Can you confirm if this is the case? The userLogin is added to the
>> service call before delegating the service call to dispatcher after jwt has
>> been verified. But in case of auth=false, services, auth is bypassed and
>> hence userLogin is not set.
>>
>> I guess the key here is to bypass token validation if, and only if, the
>> Authorization header is absent, otherwise perform validation. I had a
>> discussion about this with Jacopo as well and here is what can be done
>> (applicable for */services *endpoint ) -
>>
>> If auth=false and *Authorization* header is *present*, validate token
>> and return error if invalid. Else set userLogin in context and delegate the
>> call to dispatcher.
>> If auth=false and *Authorization* header is *absent, *just call the
>> service. The service will be executed *without* userLogin in context.
>>
>> I will try to work on this change in the next couple days.
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker 
>> wrote:
>>
>>> Hi Girish,
>>>
>>> thanks for your last email, that is working now too
>>>
>>> howeveranother question,
>>>
>>> If i call a service using the token i obtained earlier, i see that the
>>> userLogin map in the groovy service I called, is null
>>>
>>> can you set the login map to the userLogin of the token that was used so
>>> we know who the user is?
>>>
>>> Thanks, Hans
>>>
>>>
>>>


Re: How to not load or remove dummy data in db PostgreSQL

2020-10-01 Thread Jacques Le Roux

Hi Daors,

You did well by asking 1st on the user ML.
Please use it for such questions. See why here 
http://ofbiz.apache.org/mailing-lists.html.

You will get a better support, people can answer you on the ML.
The wider the audience the better the answers you might get.

Thanks

Jacques

Le 01/10/2020 à 11:46, Daors Islami a écrit :

Hello OfBiz Community, I just wanted to ask directly without losing anyone
time,  I have connected OfBiz with PostgreSQL and I just want to load only
the essential data to be able to use the app (f.e the user account for
logging in) not the demo data!

I have read:

https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-InitialDataLoading


And there it says that I should use the command:
gradlew “ofbiz –load-data readers=seed,seed-initial”



I tried it and it didn’t work for me, maybe I misunderstood it.

Is there a gradle command to remove the dummy data from the tables or how
is it possible to achieve this, I only want to be able to go into the app
and add data myself not to load dummy data. I’m new to OfBiz and learning
it daily.

Thank you for your time,
Best regards,
Daors.




How to not load or remove dummy data in db PostgreSQL

2020-10-01 Thread Daors Islami
Hello OfBiz Community, I just wanted to ask directly without losing anyone
time,  I have connected OfBiz with PostgreSQL and I just want to load only
the essential data to be able to use the app (f.e the user account for
logging in) not the demo data!

I have read:

https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-InitialDataLoading


And there it says that I should use the command:
gradlew “ofbiz –load-data readers=seed,seed-initial”



I tried it and it didn’t work for me, maybe I misunderstood it.

Is there a gradle command to remove the dummy data from the tables or how
is it possible to achieve this, I only want to be able to go into the app
and add data myself not to load dummy data. I’m new to OfBiz and learning
it daily.

Thank you for your time,
Best regards,
Daors.


Re: Need input on extending the Uom Related seed data

2020-10-01 Thread Jacques Le Roux

Hi NoName :),

Inline...

Le 30/09/2020 à 22:08, Development a écrit :

 Hey everyone.  I would like to contribute to trunk some more Uom (Uom, 
UomType, UomConversion) seed data, and some more demo records that use Uom 
data.  I have found 2 issues that I will need input on before I can make a real 
proposal.




 ISSUE #1:
 There is a uomTypeId="TIME_FREQ_MEASURE".  However, the frequency units 
have not been added to that.  I will add the frequencies, but i suspect they have not 
been added yet because there is no way to convert between time and frequency.


 It looks like UomConversion seems to assume that all conversions are of 
type:
measured_value_uomIdTo = (conversionFactor * measured_value_uomIdFrom)

 Are there plans to someday extend UomConversion, perhaps to be something 
more allong the lines of:
measured_value_uomIdTo = conversionZeroOffset + (conversionFactor * 
(measured_value_uomIdFrom ^ conversionExponent))

 (This example would accommodate both frequency and the "how do i express  1 F = 
1.8C + 32 ?" issue in the comments of UnitData.xml).

 1 F = 32 + 1.8 * (C ^ 1)
 1 Hz (frequency) = 0 + 1 * (second ^ -1)


 So my issue #1 is: Are there plans for extending the UomConversion entity 
to be able to handle more in the future?  If not, then I propose the 
frequencies should be moved to their own UomType, like:

 


+1, good idea



 Issue #2:
 Now there is a service "convertUom" in 
component://common/groovyScripts/CommonServices.groovy that handles conversions.
 From glancing at it, I don't think it does either recursive or join 
searches for UomConversion yet (note, join searches are not appropriate for 
UomConversionDated as things like currencies can get out of wack during 
arbitrage opportunities so that converting from A to B, then B to C, then C to 
A can yeild a profit.

 If the convertUom service does not do either yet, then I propose it would be best to 
enter conversion factors for "single join" searches in preparation for the day 
convertUom gets extended.

 
 
 
 
 
 

 
 
 
 
 
 

 


 
 
 
 
 

 (Note: The current seed data tends to use this form)

 So my issue #2 is:
 Has some decision been made that in the future we should go with "recursive 
searches"?


I can't remember any, not even discussions. From your comment about

   "UomConversionDated as things like currencies"

I'd go with the simpler(?) way, ie no recursive searches



 (For example, does the "convertUom" in 
component://common/groovyScripts/CommonServices.groovy already do, or is it planned to be 
able to do recursive searches?  If so then I should do it the recursive way.


I'd have to check more but I don't think we do



 Otherwize I think I should do it the "join" way.


I tend to agree, though I did not thought much about it yet.

This is interesting: 
https://www.unitjuggler.com/convert-frequency-from-Hz-to-s(p).html?val=50

Jacques



 Thoughts?






CONFIDENTIALITY NOTICE: This message is intended only for the use of the person 
or organization to which it is addressed or was intended to be addressed, and 
may contain information that is privileged, confidential and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, or responsible for delivering the message to the intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited. If you have received this 
communication in error, please notify the sender immediately by email and 
delete the original message immediately . The sender, its subsidiaries and 
affiliates, do not accept liability for any errors, omissions, corruption or 
virus in the contents of this message or any attachments that arise as a result 
of e-mail transmission. Thank you.




Re: REST, how about 'Login' map

2020-10-01 Thread Hans Bakker

Hi Girish,

yes userLogin is working fine now,

further i see you are working on the error messages?
would be nice to get the ofbiz error message together with the error 
code 500?


keep up the good work, it is getting better and better!

Regards,

Hans

On 10/1/20 10:49 AM, Girish Vasmatkar wrote:

Hi Hans,

This is now implemented/fixed with commit8545cfe 
 . 



Best,
Girish
HotWax Systems


On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
mailto:h.bak...@antwebsystems.com>> wrote:


Hi Girish, thanks for your prompt reply,

the login map need to be filled when the related token is
available, what is currently not the case.

Not sure if this is directly related to the Auth=false parameter,
you know that better,

Regards, Hans

On 9/29/20 4:20 PM, Girish Vasmatkar wrote:

Hi Hans

Since you specifically mentioned about groovy service, I would
think it is true for other services as well.

It would possibly be happening, if the service itself is declared
with auth=false, so no token check is happening and hence
userLogin is not retrieved from the token.
Can you confirm if this is the case? The userLogin is added to
the service call before delegating the service call to dispatcher
after jwt has been verified. But in case of auth=false, services,
auth is bypassed and hence userLogin is not set.

I guess the key here is to bypass token validation if, and only
if, the Authorization header is absent, otherwise perform
validation. I had a discussion about this with Jacopo as well and
here is what can be done (applicable for */services *endpoint ) -

If auth=false and *Authorization* header is */present/*, validate
token and return error if invalid. Else set userLogin in context
and delegate the call to dispatcher.
If auth=false and *Authorization* header is *absent, *just call
the service. The service will be executed */without/* userLogin
in context.

I will try to work on this change in the next couple days.

Best,
Girish
HotWax Systems











Best,
Girish
HotWax Systems








On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker
mailto:h.bak...@antwebsystems.com>>
wrote:

Hi Girish,

thanks for your last email, that is working now too

howeveranother question,

If i call a service using the token i obtained earlier, i see
that the
userLogin map in the groovy service I called, is null

can you set the login map to the userLogin of the token that
was used so
we know who the user is?

Thanks, Hans




Re: Encoding issues with product names

2020-10-01 Thread Jacques Le Roux

Le 01/10/2020 à 08:42, Jacques Le Roux a écrit :

by alert('xss') 

This has been inadvertently copied there (actually copied from HTML browser source page when copying alert('xss'), I'm a leazy 
type-writer)




Re: Encoding issues with product names

2020-10-01 Thread Jacques Le Roux

Hi Mridul,

Maybe I miss what you mean, because everywhere, not only in ShoppingCartItem.java, "html" encoding is used not "string" encoding. Again, the reason is 
to prevent XSS attacks.


I understand that you suggest that, eg:
String productName = ProductContentWrapper.getProductContentAsText(product, 
"PRODUCT_NAME", this.locale, dispatcher, "string");
instead of currently
String productName = ProductContentWrapper.getProductContentAsText(product, 
"PRODUCT_NAME", this.locale, dispatcher, "html");

Do you mean something else?

If it's what you mean then we should not change. Because else it's easy to 
replace a product/item name at
https://localhost:8443/ordermgr/control/orderentry
by alert('xss') 


Then if you finalize the order and get to 
https://localhost:8443/ordermgr/control/processorder
the new product/item name is showing and it you click on it you get to
https://localhost:8443/ordermgr/control/product?product_id=yourProductId
ans get an "XSS" attack.

If you mean something else, please explain

Thanks

Jacques

Le 28/09/2020 à 16:44, Mridul Pathak a écrit :

Hi Amit,

I agree with Jacques. Though I see that in shopping cart implementation
when copying product name to order item name it uses string encoding vs
html encoding, I think this could be fixed to use html encoding for
product/item name like it's done for product/item description in the same
method.

Thanks.
Mridul Pathak

On Mon, Sep 28, 2020 at 2:21 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Amit,

It's better to encode to prevent XSS. Then of course we need to decode
when showing those values.
Actually in this case it's automatically encoded by Freemarker as
explained in this old but still good reference:
https://ofbiz.markmail.org/thread/e2iznsqhhxxdplxh

So we can do the same, ie using StringUtil.wrapString(), like



This should be done everywhere it's needed in FTL files.

I have added a patch for similar "cartLine.get...()" cases at OFBIZ-12029.
Of course other cases like that can pop out anytime; eg, I'll also fix a
long awaiting one at  OFBIZ-7343...

We could think that using Freemarker autoescaping as suggested in
OFBIZ-7675 would be better.
But escaping is not encoding. You can check by using ?html (local
autoescaping ) instead of StringUtil.wrapString(). You get
"tes39t"

For widgets forms, there is a problem currently investigated with
OFBIZ-12026...

HTH

Jacques

Le 26/09/2020 à 11:00, Amit Gadaley a écrit :

Hello All,

Recently working for a client I encountered a weird issue related to
special characters encodings. We have product names containing special
characters like ' (apostrophes). When we create orders for it, an encoded
value for it is stored in OrderItem.itemDescription. The same encoded

value

also copied for invoice and return. When I checked the Product entity
record, the original value (name without encoding) was stored there. I
debugged the issue at code level and found that the system does encoding
(string or html) at the time of order creation.

I understand that for security reasons (and I want to know more about

it),

the system does the encodings. My concerns are related to not using
encoding when we create products. And it is not good UI experience to
display encoded forms of values to screens.

I suggest we should use some methods to display encoded values properly

on

screens or remove the encoding at the very first place.

Please feel free to provide any suggestions or inputs.