I created my own PERMISSIVE_POLICY, but I am not finished with it by now. I think putting the configuration into the base property would be a good idea.
Thanks! Ingo -----Ursprüngliche Nachricht----- Von: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] Gesendet: Sonntag, 8. November 2015 14:03 An: user@ofbiz.apache.org Betreff: Re: AW: AW: Render HTML markup in Freemarker Thanks for feedback Ingo, Did you define your own PERMISSIVE_POLICY or simply used the one I created? I think I will anyway provide a base property to allow users using it without coding, with a comment to explain it can be modified Jacques Le 08/11/2015 12:39, Ingo Wolfmayr a écrit : > Thanks Jacques, the patch works fine. After defining the PERMISSIVE_POLICY I > get the result I was expecting. > > Best regards, > Ingo > > -----Ursprüngliche Nachricht----- > Von: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] > Gesendet: Samstag, 7. November 2015 15:53 > An: user@ofbiz.apache.org > Betreff: Re: AW: Render HTML markup in Freemarker > > I submitted a last patch in OFBIZ-6669. It's now complete and get rid of the > content.properties, see my 2 last comments in OFBIZ-6669. > > HTH > > Jacques > > Le 07/11/2015 09:20, Jacques Le Roux a écrit : >> Ingo, >> >> Mmm, it's a bit more complex and unfortunately I mixed things in my (too) >> quick answer. >> >> As explained in OFBIZ-6669, contrary to what I did in ContentWorker >> class, when I before did the work on *ContentWrapper classes I did >> not use the sanitizer but only an encoder (either HTML or URL). Because I >> wrongly supposed that only plain text was used there and certainly my lazy >> mind thought it was easier because of the URL encoderType to also handle. >> >> When the encoderType is HTML, I now suggest we use the sanitizer in >> *ContentWrapper classes For that I will enhance the UtilCodec class >> (if people disagree a sanitizer should be there, I will create a new >> UtilOwasp class) >> >> Beware though about the sanitizer. I'm not sure why but it might still >> remove the ids and tags like "<center><table" (see OFBIZ-6669 description). >> This is why content.sanitize property exists in content.properties. >> To generalise, this property will need to be moved in the base config, I >> guess in an owasp.properties file. >> >> To be totally complete we should change *lines like* in >> productsummary.ftl line 85 to use an HTML content wrapper. I mean >> something like >> >> Index: >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> =================================================================== >> --- >> applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> (revision 1712951) >> +++ applications/order/webapp/ordermgr/entry/catalog/productsummary.f >> +++ t >> +++ l (working copy) >> @@ -63,6 +63,7 @@ >> <#assign prodCatMem = requestAttributes.productCategoryMember> >> </#if> >> <#assign smallImageUrl = >> productContentWrapper.get("SMALL_IMAGE_URL", "url")!> >> + <#assign productDescription = >> + productContentWrapper.get("DESCRIPTION", "html")> >> <#if !smallImageUrl?string?has_content><#assign smallImageUrl = >> "/images/defaultImage.jpg"></#if> >> <#-- end variable setup --> >> <#assign productInfoLinkId = "productInfoLink"> @@ -82,7 +83,7 @@ >> <img >> src="<@ofbizContentUrl>${contentPathPrefix!}${smallImageUrl}</@ofbizContentUrl>" >> alt="Small Image"/><br /> >> ${uiLabelMap.ProductProductId} : >> ${product.productId!}<br /> >> ${uiLabelMap.ProductProductName} : >> ${product.productName!}<br /> >> - ${uiLabelMap.CommonDescription} : ${product.description!} >> + ${uiLabelMap.CommonDescription} : >> + ${productDescription!} >> </td> >> </tr> >> </table> >> >> I hope I'm clear now, see my proposed patch at OFBIZ-6669 >> >> Jacques >> >> >> Le 06/11/2015 20:19, Ingo Wolfmayr a écrit : >>> Hi Jacques, >>> >>> thanks for the quick answer. >>> >>> Just for me to understand :) : >>> >>> I have the following content from DB: <p>Test</p> Shouldn't the >>> sanatizer remove/sanatize tags that are not in the allow policy? So >>> from my understanding with the example "<p>Test</p>" it should >>> result in "" if the p-tag is not allowed. My result is that the >>> whole tag is rendered as text with the markup-tag <p> >>> >>> Best regards, >>> Ingo >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] >>> Gesendet: Freitag, 6. November 2015 16:32 >>> An: user@ofbiz.apache.org >>> Betreff: Re: Render HTML markup in Freemarker >>> >>> This is due to https://issues.apache.org/jira/browse/OFBIZ-6669 >>> >>> I see only one solution: use also the content.sanitize properties >>> from content.properties (here you want it false) in *ContentWrapper classes >>> (where the content is encoded). >>> This also means that you are then assuming your code is sensible to >>> possible (but unlikely) static XSS attacks. I agree we should give this >>> flexibility to users, once they are aware of what they are doing. >>> >>> I will code that soon... >>> >>> Jacques >>> >>> >>> Le 06/11/2015 13:56, Ingo Wolfmayr a écrit : >>>> Hi everybody, >>>> >>>> I am trying to display text content with embedded HTML markup tags: >>>> >>>> <p>Test</p> >>>> >>>> I tried >>>> ${productContentWrapper.get("DESCRIPTION","html") >>>> ${StringUtil.wrapString(productContentWrapper.get("DESCRIPTION","html" >>>> )) >>>> >>>> For some reason it does print the text including the markup tags. >>>> >>>> I use the most current trunk. I have some project running on 13.07 doing >>>> just the same - there it works fine. As I could not find anything online: >>>> did I miss something in the configuration. >>>> >>>> Thanks for any hint. >>>> Best regards >>>> Ingo >>>> >
