OFBiz
  1. OFBiz
  2. OFBIZ-4316

Widget $() escapes HTML. StringUtil.wrapString(contentText) throw an error

    Details

      Description

      from the ForumScreens.xml#ViewForumMessage

                              <container style="forumtext">
         <label>${contentText}</label>
      

      show escaped html

      * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a> 
      

      replacing

      <label>${contentText}</label>

      with

      ${StringUtil.wrapString(contentText).toString()}

      give this error
      2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR]
      XmlFileLoader: File
      file:specialpurpose/ecommerce/widget/ForumScreens.xml
      process error. Line: 151. Error message: cvc-complex-type.2.3: Element
      'condition' cannot have character [children], because the type's content
      type is element-only.

        Activity

        Hide
        BJ Freeman added a comment -

        thanks for the clarification.
        however for formus I run they are moderated.
        so malicious html/js content is not possible.
        I do understand that ofbiz must go for worst case.

        Show
        BJ Freeman added a comment - thanks for the clarification. however for formus I run they are moderated. so malicious html/js content is not possible. I do understand that ofbiz must go for worst case.
        Scott Gray made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Invalid [ 6 ]
        Hide
        Scott Gray added a comment -

        The label widget currently doesn't support disabling encoding, it isn't a bug but instead just an improvement required. When you originally asked how to prevent encoding I assumed you were referring to within a freemarker template, that's why I suggested using StringUtil.wrapString() but it isn't intended or supported for use in expandable widget fields.

        Also, the forum content should never be rendered unencoded because it opens up XSS vulnerabilities by allowing users to post malicious html/js content.

        Show
        Scott Gray added a comment - The label widget currently doesn't support disabling encoding, it isn't a bug but instead just an improvement required. When you originally asked how to prevent encoding I assumed you were referring to within a freemarker template, that's why I suggested using StringUtil.wrapString() but it isn't intended or supported for use in expandable widget fields. Also, the forum content should never be rendered unencoded because it opens up XSS vulnerabilities by allowing users to post malicious html/js content.
        Hide
        David E. Jones added a comment -

        When FreeMarker says that an expression "is undefined" if often means that the expression evaluated to null.

        If you don't want FreeMarker to blow up like this for null values, add the "?if_exists" built-in.

        In general I highly recommend the documentation for FTL at: www.freemarker.org

        Show
        David E. Jones added a comment - When FreeMarker says that an expression "is undefined" if often means that the expression evaluated to null. If you don't want FreeMarker to blow up like this for null values, add the "?if_exists" built-in. In general I highly recommend the documentation for FTL at: www.freemarker.org
        Hide
        BJ Freeman added a comment -

        I am using a ftl with
        $

        {StringUtil.wrapString(contentText)}
        https://issues.apache.org/jira/browse/OFBIZ-4318 is the bug about no recored being generated
        but this has to do with the stringUtil handling that problem so put this here
        
        

        2011-06-16 20:23:26,453 (TP-Processor36) [ RequestHandler.java:741:INFO ] Rendering View [ViewForumMessage], sessionId=ED6F3D30F1C23C6DBA1C64EC46B2534A.jvm1
        2011-06-16 20:23:26,460 (TP-Processor36) [ PrimaryKeyFinder.java:153:INFO ] Returning null because found incomplete primary key in find: [GenericEntity:ElectronicText][dataResourceId,null()]
        2011-06-16 20:23:26,696 (TP-Processor36) [ Log4JLoggerFactory.java:96 :ERROR]
        Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. The problematic instruction: ---------- ==> ${StringUtil.wrapString(contentText)}

        [on line 2, column 1 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl] ---------- Java backtrace for programmers: ---------- freemarker.core.InvalidReferenceException: Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:124) at freemarker.core.Expression.getStringValue(Expression.java:118) at freemarker.core.Expression.getStringValue(Expression.java:93) at freemarker.core.DollarVariable.accept(DollarVariable.java:76) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.MixedContent.accept(MixedContent.java:92) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.Environment.process(Environment.java:189) at org.ofbiz.base.util.template.FreeMarkerWorker.renderTemplate(FreeMarkerWorker.java:216) at org.ofbiz.widget.screen.HtmlWidget.renderHtmlTemplate(HtmlWidget.java:205) at org.ofbiz.widget.screen.HtmlWidget$HtmlTemplate.renderWidgetString(HtmlWidget.java:250) at org.ofbiz.widget.screen.HtmlWidget.renderWidgetString(HtmlWidget.java:110) at org.ofbiz.widget.screen.ModelScreenWidget$PlatformSpecific.renderWidgetString(ModelScreenWidget.java:971) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSection.renderWidgetString(ModelScreenWidget.java:669) at org.ofbiz.widget.screen.ModelScreenWidget$SectionsRenderer.render(ModelScreenWidget.java:125) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSectionInclude.renderWidgetString(ModelScreenWidget.java:702) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorScreen.renderWidgetString(ModelScreenWidget.java:636) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:135) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:97) at org.ofbiz.widget.screen.ScreenWidgetViewHandler.render(ScreenWidgetViewHandler.java:101) at org.ofbiz.webapp.control.RequestHandler.renderView(RequestHandler.java:839) at org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:559) at org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:227) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at php.java.servlet.PhpCGIFilter.doFilter(PhpCGIFilter.java:126) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:268) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:636)

        
        
        Show
        BJ Freeman added a comment - I am using a ftl with $ {StringUtil.wrapString(contentText)} https://issues.apache.org/jira/browse/OFBIZ-4318 is the bug about no recored being generated but this has to do with the stringUtil handling that problem so put this here 2011-06-16 20:23:26,453 (TP-Processor36) [ RequestHandler.java:741:INFO ] Rendering View [ViewForumMessage] , sessionId=ED6F3D30F1C23C6DBA1C64EC46B2534A.jvm1 2011-06-16 20:23:26,460 (TP-Processor36) [ PrimaryKeyFinder.java:153:INFO ] Returning null because found incomplete primary key in find: [GenericEntity:ElectronicText] [dataResourceId,null()] 2011-06-16 20:23:26,696 (TP-Processor36) [ Log4JLoggerFactory.java:96 :ERROR] Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. The problematic instruction: ---------- ==> ${StringUtil.wrapString(contentText)} [on line 2, column 1 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl] ---------- Java backtrace for programmers: ---------- freemarker.core.InvalidReferenceException: Expression StringUtil.wrapString(contentText) is undefined on line 2, column 3 in component://publicface/webapp/businessesnetwork/forum/tmpmsgworkaround.ftl. at freemarker.core.TemplateObject.assertNonNull(TemplateObject.java:124) at freemarker.core.Expression.getStringValue(Expression.java:118) at freemarker.core.Expression.getStringValue(Expression.java:93) at freemarker.core.DollarVariable.accept(DollarVariable.java:76) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.MixedContent.accept(MixedContent.java:92) at freemarker.core.Environment.visit(Environment.java:209) at freemarker.core.Environment.process(Environment.java:189) at org.ofbiz.base.util.template.FreeMarkerWorker.renderTemplate(FreeMarkerWorker.java:216) at org.ofbiz.widget.screen.HtmlWidget.renderHtmlTemplate(HtmlWidget.java:205) at org.ofbiz.widget.screen.HtmlWidget$HtmlTemplate.renderWidgetString(HtmlWidget.java:250) at org.ofbiz.widget.screen.HtmlWidget.renderWidgetString(HtmlWidget.java:110) at org.ofbiz.widget.screen.ModelScreenWidget$PlatformSpecific.renderWidgetString(ModelScreenWidget.java:971) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSection.renderWidgetString(ModelScreenWidget.java:669) at org.ofbiz.widget.screen.ModelScreenWidget$SectionsRenderer.render(ModelScreenWidget.java:125) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorSectionInclude.renderWidgetString(ModelScreenWidget.java:702) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Container.renderWidgetString(ModelScreenWidget.java:256) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ModelScreenWidget$DecoratorScreen.renderWidgetString(ModelScreenWidget.java:636) at org.ofbiz.widget.screen.ModelScreenWidget.renderSubWidgetsString(ModelScreenWidget.java:100) at org.ofbiz.widget.screen.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:187) at org.ofbiz.widget.screen.ModelScreen.renderScreenString(ModelScreen.java:392) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:135) at org.ofbiz.widget.screen.ScreenRenderer.render(ScreenRenderer.java:97) at org.ofbiz.widget.screen.ScreenWidgetViewHandler.render(ScreenWidgetViewHandler.java:101) at org.ofbiz.webapp.control.RequestHandler.renderView(RequestHandler.java:839) at org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:559) at org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:227) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at php.java.servlet.PhpCGIFilter.doFilter(PhpCGIFilter.java:126) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:268) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:636)
        Hide
        BJ Freeman added a comment -

        also check the trunk demo just to be sure, that the code had not been changed since my version.

        Show
        BJ Freeman added a comment - also check the trunk demo just to be sure, that the code had not been changed since my version.
        Hide
        BJ Freeman added a comment -

        quick work around is to use

                                <platform-specific><html><html-template location="component://publicface/webapp/publicfacemain/forum/workaroundmsg.ftl"/></html></platform-specific>
        
        Show
        BJ Freeman added a comment - quick work around is to use <platform-specific><html><html-template location= "component: //publicface/webapp/publicfacemain/forum/workaroundmsg.ftl" /></html></platform-specific>
        BJ Freeman made changes -
        Field Original Value New Value
        Affects Version/s SVN trunk [ 12311928 ]
        Description from the ForumScreens.xml#ViewForumMessage
        [code]
                                <container style="forumtext">
           <label>${contentText}</label>
        [code]
        show escaped html
        [code]
        * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a>
        [code]
        replacing
        [code]<label>${contentText}</label>[code]
        with
        [code]${StringUtil.wrapString(contentText).toString()}[code]
        give this error
        2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR]
        XmlFileLoader: File
        file:specialpurpose/ecommerce/widget/ForumScreens.xml
        process error. Line: 151. Error message: cvc-complex-type.2.3: Element
        'condition' cannot have character [children], because the type's content
        type is element-only.
        from the ForumScreens.xml#ViewForumMessage
        {code}
                                <container style="forumtext">
           <label>${contentText}</label>
        {code}
        show escaped html
        {code}
        * Data Source<br /> * Marketing Campaign<br /> * Tracking Affiliate programs<br /> * Segment<br /> * Contact List<br /> * Reports<br /> <a class="postlink" href="https://demo-trunk.ofbiz.apache.org/marketing/control/main"USERNAME=flexadmin&PASSWORD=ofbiz&JavaScriptEnabled=Y">Demo Marketing</a>
        {code}
        replacing
        {code}<label>${contentText}</label>{code}
        with
        {code}${StringUtil.wrapString(contentText).toString()}{code}
        give this error
        2011-06-15 18:16:43,200 (TP-Processor13) [ UtilXml.java:1043:ERROR]
        XmlFileLoader: File
        file:specialpurpose/ecommerce/widget/ForumScreens.xml
        process error. Line: 151. Error message: cvc-complex-type.2.3: Element
        'condition' cannot have character [children], because the type's content
        type is element-only.
        Fix Version/s SVN trunk [ 12311928 ]
        Component/s content [ 12311147 ]
        Component/s framework [ 12311145 ]
        Component/s specialpurpose/ecommerce [ 12311148 ]
        Hide
        BJ Freeman added a comment -

        used wrong tag for code

        Show
        BJ Freeman added a comment - used wrong tag for code
        BJ Freeman created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            BJ Freeman
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development