Skip to content
This repository has been archived by the owner on May 9, 2020. It is now read-only.

Commit

Permalink
No functional change, only formatting and imports cleaning
Browse files Browse the repository at this point in the history 
git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk@1777446 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
@JacquesLeRoux
JacquesLeRoux committed Jan 5, 2017
1 parent 055f518 commit 60b9dec
Show file tree
Hide file tree
Showing 10 changed files with 60 additions and 31 deletions.
22 changes: 13 additions & 9 deletions applications/content/src/main/java/org/apache/ofbiz/content/content/ContentWorker.java
View file
Expand Up @@ -335,18 +335,22 @@ public static String renderContentAsText(LocalDispatcher dispatcher, String cont
String mimeTypeId, boolean cache) throws GeneralException, IOException {
Writer writer = new StringWriter();
renderContentAsText(dispatcher, contentId, writer, templateContext, locale, mimeTypeId, null, null, cache);
GenericValue content = EntityQuery.use(dispatcher.getDelegator()).from("Content").where("contentId", contentId).queryOne();
String contentTypeId = content.getString("contentTypeId");
String rendered = writer.toString();
// According to https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary
// Normally head is protected by X-XSS-Protection Response Header by default
if (rendered.contains("<script>")
|| rendered.contains("<!--")
|| rendered.contains("<div")
|| rendered.contains("<style>")
|| rendered.contains("<span")
|| rendered.contains("<input")
|| rendered.contains("<iframe")
|| rendered.contains("<a")) {
rendered = encoder.sanitize(rendered);
if (!"REPORT".equals(contentTypeId)) { // FIXME here BIRT_REPORT_BUILDER_USAGE_POLICY should be used but I could not tweak it yet: the content of <script> are removed and should not. Also a more annoying no yet spotted issue with contentId dissapearing
if (rendered.contains("<script>")
|| rendered.contains("<!--")
|| rendered.contains("<div")
|| rendered.contains("<style>")
|| rendered.contains("<span")
|| rendered.contains("<input")
|| rendered.contains("<iframe")
|| rendered.contains("<a")) {
rendered = encoder.sanitize(rendered, contentTypeId);
}
}
return rendered;
}
Expand Down
29 changes: 27 additions & 2 deletions applications/content/src/main/java/org/apache/ofbiz/content/data/DataResourceWorker.java
View file
Expand Up @@ -747,12 +747,37 @@ public static void renderDataResourceAsText(LocalDispatcher dispatcher, Delegato
} else {
throw new GeneralException("The dataResource file [" + dataResourceId + "] could not be found");
}
} catch (SAXException e) {
} catch (SAXException | ParserConfigurationException e) {
throw new GeneralException("Error rendering Screen template", e);
} catch (ParserConfigurationException e) {
} catch (TemplateException e) {
throw new GeneralException("Error creating Screen renderer", e);
}
} else if ("FORM_COMBINED".equals(dataTemplateTypeId)){
try {
Map<String, Object> context = UtilGenerics.checkMap(templateContext.get("globalContext"));
context.put("locale", locale);
context.put("simpleEncoder", UtilCodec.getEncoder(UtilProperties.getPropertyValue("widget", "screen.encoder")));
HttpServletRequest request = (HttpServletRequest) context.get("request");
HttpServletResponse response = (HttpServletResponse) context.get("response");
ModelForm modelForm = null;
ModelReader entityModelReader = delegator.getModelReader();
String formText = getDataResourceText(dataResource, targetMimeTypeId, locale, templateContext, delegator, cache);
Document formXml = UtilXml.readXmlDocument(formText, true, true);
Map<String, ModelForm> modelFormMap = FormFactory.readFormDocument(formXml, entityModelReader, dispatcher.getDispatchContext(), null);

if (UtilValidate.isNotEmpty(modelFormMap)) {
Map.Entry<String, ModelForm> entry = modelFormMap.entrySet().iterator().next(); // get first entry, only one form allowed per file
modelForm = entry.getValue();
}
MacroFormRenderer renderer = new MacroFormRenderer(formrenderer, request, response);
FormRenderer formRenderer = new FormRenderer(modelForm, renderer);
formRenderer.render(out, context);
} catch (SAXException | ParserConfigurationException e) {
throw new GeneralException("Error rendering Screen template", e);
} catch (TemplateException e) {
throw new GeneralException("Error creating Screen renderer", e);
} catch (Exception e) {
throw new GeneralException("Error rendering Screen template", e);
}
} else {
throw new GeneralException("The dataTemplateTypeId [" + dataTemplateTypeId + "] is not yet supported");
Expand Down
2 changes: 1 addition & 1 deletion applications/order/src/main/java/org/apache/ofbiz/order/order/OrderContentWrapper.java
View file
Expand Up @@ -111,7 +111,7 @@ public static String getOrderContentAsText(GenericValue order, String orderConte
if (UtilValidate.isEmpty(outString)) {
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (orderContentCache != null) {
orderContentCache.put(cacheKey, outString);
}
Expand Down
6 changes: 3 additions & 3 deletions applications/party/src/main/java/org/apache/ofbiz/party/content/PartyContentWrapper.java
View file
Expand Up @@ -168,19 +168,19 @@ public static String getPartyContentAsText(GenericValue party, String contentId,
outString = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (partyContentCache != null) {
partyContentCache.put(cacheKey, outString);
}
return outString;
} catch (GeneralException e) {
Debug.logError(e, "Error rendering PartyContent, inserting empty String", module);
String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
} catch (IOException e) {
Debug.logError(e, "Error rendering PartyContent, inserting empty String", module);
String candidateOut = party.getModelEntity().isField(candidateFieldName) ? party.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
}
}

Expand Down
2 changes: 1 addition & 1 deletion ...tions/product/src/main/java/org/apache/ofbiz/product/category/CategoryContentWrapper.java
View file
Expand Up @@ -110,7 +110,7 @@ public static String getProductCategoryContentAsText(GenericValue productCategor
outString = productCategory.getModelEntity().isField(candidateFieldName) ? productCategory.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (categoryContentCache != null) {
categoryContentCache.put(cacheKey, outString);
}
Expand Down
6 changes: 3 additions & 3 deletions ...roduct/src/main/java/org/apache/ofbiz/product/config/ProductConfigItemContentWrapper.java
View file
Expand Up @@ -133,19 +133,19 @@ public static String getProductConfigItemContentAsText(GenericValue productConfi
outString = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (configItemContentCache != null) {
configItemContentCache.put(cacheKey, outString);
}
return outString;
} catch (GeneralException e) {
Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module);
String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
} catch (IOException e) {
Debug.logError(e, "Error rendering ProdConfItemContent, inserting empty String", module);
String candidateOut = productConfigItem.getModelEntity().isField(candidateFieldName) ? productConfigItem.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
}
}

Expand Down
6 changes: 3 additions & 3 deletions ...cations/product/src/main/java/org/apache/ofbiz/product/product/ProductContentWrapper.java
View file
Expand Up @@ -123,19 +123,19 @@ public static String getProductContentAsText(GenericValue product, String produc
outString = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (productContentCache != null) {
productContentCache.put(cacheKey, outString);
}
return outString;
} catch (GeneralException e) {
Debug.logError(e, "Error rendering ProductContent, inserting empty String", module);
String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
} catch (IOException e) {
Debug.logError(e, "Error rendering ProductContent, inserting empty String", module);
String candidateOut = product.getModelEntity().isField(candidateFieldName) ? product.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
}
}

Expand Down
6 changes: 3 additions & 3 deletions ...ns/product/src/main/java/org/apache/ofbiz/product/product/ProductPromoContentWrapper.java
View file
Expand Up @@ -128,19 +128,19 @@ public static String getProductPromoContentAsText(GenericValue productPromo, Str
outString = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (productPromoContentCache != null) {
productPromoContentCache.put(cacheKey, outString);
}
return outString;
} catch (GeneralException e) {
Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module);
String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
} catch (IOException e) {
Debug.logError(e, "Error rendering ProductPromoContent, inserting empty String", module);
String candidateOut = productPromo.getModelEntity().isField(candidateFieldName) ? productPromo.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
}
}

Expand Down
6 changes: 3 additions & 3 deletions ...orkeffort/src/main/java/org/apache/ofbiz/workeffort/content/WorkEffortContentWrapper.java
View file
Expand Up @@ -256,19 +256,19 @@ public static String getWorkEffortContentAsText(GenericValue workEffort, String
outString = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
outString = outString == null? "" : outString;
}
outString = encoder.sanitize(outString);
outString = encoder.sanitize(outString, null);
if (workEffortContentCache != null) {
workEffortContentCache.put(cacheKey, outString);
}
return outString;
} catch (GeneralException e) {
Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module);
String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
} catch (IOException e) {
Debug.logError(e, "Error rendering WorkEffortContent, inserting empty String", module);
String candidateOut = workEffort.getModelEntity().isField(candidateFieldName) ? workEffort.getString(candidateFieldName): "";
return candidateOut == null? "" : encoder.sanitize(candidateOut);
return candidateOut == null? "" : encoder.sanitize(candidateOut, null);
}
}

Expand Down
6 changes: 3 additions & 3 deletions framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/FormRenderer.java
View file
Expand Up @@ -44,10 +44,11 @@
import org.apache.ofbiz.widget.WidgetWorker;
import org.apache.ofbiz.widget.model.AbstractModelAction;
import org.apache.ofbiz.widget.model.FieldInfo;
import org.apache.ofbiz.widget.model.*;
import org.apache.ofbiz.widget.model.ModelForm;
import org.apache.ofbiz.widget.model.ModelForm.FieldGroup;
import org.apache.ofbiz.widget.model.ModelForm.FieldGroupBase;
import org.apache.ofbiz.widget.model.ModelFormField;
import org.apache.ofbiz.widget.model.ModelGrid;

/**
* A form rendering engine.
Expand Down Expand Up @@ -227,8 +228,7 @@ private List<FieldGroupBase> getInbetweenList(FieldGroup startFieldGroup, FieldG
* (String, optional alternate name for form, defaults to the
* value of the name attribute)
*/
public void render(Appendable writer, Map<String, Object> context)
throws Exception {
public void render(Appendable writer, Map<String, Object> context) throws Exception {
// increment the paginator, only for list and multi forms
if (modelForm instanceof ModelGrid) {
WidgetWorker.incrementPaginatorNumber(context);
Expand Down

0 comments on commit 60b9dec

Please sign in to comment.