How to escape characters in ofbiz widget

Question

Ofbiz: I need to display in browser, a value that comes from url parameters. To avoid XSS attacks this value should to be escaped.

The value is set in PScreens.xml as following :

<screen name="Product">
<section>
 <actions>
  <set field="productId" from-field="parameters.productId"/>
 </actions>
<widgets>
 ...
</widgets>

And is included in PForms.xml :

<field name="productId" tooltip="${uiLabelMap.ProductId} [${productId}]"><text /></field>

Initially I tried to escape the value from PForms.xml:

tooltip="${uiLabelMap.ProductId} [${productId}]"

but I did not found any solution.

Can you suggest a solution to escape the value from PScreens.xml?

<set field="productId" from-field="parameters.productId"/>

Thank You.

Does anyone have any suggestions? – administractor May 11 '15 at 07:32 — administractor, May 11 '15 at 07:32

score 0 · Answer 1 · answered Jul 11 '15 at 13:38

0

This is a duplicate of How to escape characters in ofbiz display-entity | XSS in Ofbiz I see no reasons to want to escape an already automatically escaped string. See https://issues.apache.org/jira/browse/OFBIZ-6506 for more information

answered Jul 11 '15 at 13:38

JacquesLeRoux

577
4
10

score 0 · Answer 2 · answered Jul 30 '15 at 09:58

I know now that you use an old Apache OFBiz version (pre R09.04). You can't expect to fix all the security issues on such an old version only by patching them one by one (see http://ofbiz.apache.org/download.html#vulnerabilities). So I suggest rather that you adapt your custom code to be used with a more recent version

How to escape characters in ofbiz widget

2 Answers2