Re: Javascript is parsed to HTML (Freemarker ?)

[Eric DE MAULDE]

David,

Thank you so much
You have got me out of a spot
Sorry, I'm not regular

Eric
----- Original Message ----- 
From: "David E Jones" <david.jo...@hotwaxmedia.com>
To: <user@ofbiz.apache.org>
Sent: Monday, February 16, 2009 11:34 PM
Subject: Re: Javascript is parsed to HTML (Freemarker ?)



Have you been following the discussion on the mailing lists about the  
XSS/etc prevention efforts?

As a general practice when you run into things like this you can  
usually find your answer pretty quickly by looking at commit logs, and  
by looking at code in OOTB OFBiz that does something similar to what  
you are trying to do. In this case, for example looking at the  
productdetail screen and the groovy and ftl files that it uses will  
give you an example of how to handle this now.

The important thing to know is that now all String objects are  
automatically HTML encoded (using the OWASP ESAPI library). To avoid  
it, just use anything other than a String object. The normal way to do  
this is to create your script dynamically using a StringBuilder, and  
then just leave it as a StringBuilder instead of calling toString() on  
it before putting it in the context. Then it won't get HTML encoded...

On a side note, I know that the OOTB code isn't the best example of  
this, but usually it is best to generate your JavaScript in the FTL  
file. If you are dynamically generating any sort of text a template  
file is usually the best tool to use and results in the cleanest and  
easiest to maintain code.

And as a bonus, you'll avoid this encoding issue too. In fact, part of  
the decision to do this general encoding is to encourage the practice  
of using templates for what they are meant to be used for.

Best of luck,
-David


On Feb 16, 2009, at 11:06 AM, Eric DE MAULDE wrote:

A precision :

*** Error comes from Groovy
Because I have the problem only with generated Javascript script  
with Groovy.

An idea ?

Thanks

Eric
----- Original Message ----- From: "Eric DE MAULDE" <eric...@free.fr>
To: <user@ofbiz.apache.org>
Sent: Monday, February 16, 2009 6:24 PM
Subject: Javascript is parsed to HTML (Freemarker ?)


Hi,

I updated my working copy

*** Now all javascript are parsed to HTML (and appear in screen,  
just for my own application, Ecommerce is OK)
Script tags are ok.
Ex. in source :
&lt;script language&#61;&quot;JavaScript&quot;  
type&#61;&quot;text&#47;javascript&quot;&gt;&lt;&#33;--
Do you know where I can configure Freemarker ?

In HTML head tag, some chars are parsed too.

Eric