How to escape characters in ofbiz widget - widget

Ofbiz: I need to display in browser, a value that comes from url parameters.
To avoid XSS attacks this value should to be escaped.
The value is set in PScreens.xml as following :
<screen name="Product">
<section>
<actions>
<set field="productId" from-field="parameters.productId"/>
</actions>
<widgets>
...
</widgets>
And is included in PForms.xml :
<field name="productId" tooltip="${uiLabelMap.ProductId} [${productId}]"><text /></field>
Initially I tried to escape the value from PForms.xml:
tooltip="${uiLabelMap.ProductId} [${productId}]"
but I did not found any solution.
Can you suggest a solution to escape the value from PScreens.xml?
<set field="productId" from-field="parameters.productId"/>
Thank You.

This is a duplicate of How to escape characters in ofbiz display-entity | XSS in Ofbiz I see no reasons to want to escape an already automatically escaped string. See https://issues.apache.org/jira/browse/OFBIZ-6506 for more information

I know now that you use an old Apache OFBiz version (pre R09.04). You can't expect to fix all the security issues on such an old version only by patching them one by one (see http://ofbiz.apache.org/download.html#vulnerabilities). So I suggest rather that you adapt your custom code to be used with a more recent version

Related

Alternative to entering entity references in source code

Google's HTML/CSS Style Guide advises against using entity references:
Do not use entity references.
There is no need to use entity references like —, ”, or ☺, assuming the same encoding (UTF-8) is used for files and editors as well as among teams.
<!-- Not recommended -->
The currency symbol for the Euro is “&eur;”.
<!-- Recommended -->
The currency symbol for the Euro is “€”.
I'm not sure I understand what it is that they are proposing. The only thing I can think of is that they are saying that you should be using your text editor's insert character command (e.g., in Atom, Ctrl-Shift-U, or in Emacs, C-x 8) to enter Unicode characters rather than typing in the literal entity references. Is that it?
The only thing I can think of is that they are saying that you should be using your text editor's insert character command […] rather than typing in the literal entity references. Is that it?
Yes, that's precisely what they're saying.
You don't write A to insert the letter A, after all! There's no more reason to write ä for ä, or ♥ for ♥, when those characters can be represented directly in the HTML file.

CSV rendering of page doesn't handle newline character within same field

Moqui supports a superb feature to render any page in different formats. If I render the following code in CSV format and suppose the description field contains newline(i.e. enter key) character, then it shows it correctly in form-list but in CSV it changes the current row. I think it should not behave like this.
<form-list name="communicationDetail" list="communicationDetailList">
<field name="communicationEventId"><default-field><display/></default-field></field>
<field name="description"><default-field><display/></default-field></field>
</form-list>
Please help me how that newline character can be ignored while rendering data in CSV. I think it should
Thanks in advance :-)
CSV output for XML Screen is done with the DefaultScreenMacros.csv.ftl file. There is a macro at the top of the file called csvValue that does the minimal encoding. More could certainly be done there, to match whatever the parser you are using will work with.

How to use HaxeFlixel together with openfl-bitfive

I would like to build a HaxeFlixel project against a HTML5 target, using openfl-bitfive
In the Readme for openfl-bitfive:
https://github.com/YellowAfterlife/openfl-bitfive#usage, it says:
"Navigate to application.xml of your project and add the following
before inclusion of OpenFL library: <set name="html5-backend" value="openfl-bitfive" />"
In HaxeFlixel, there is no application.xml, and the closest thing to
it is Project.xml.
So I put in "<set name="html5-backend" value="openfl-bitfive" />" as
the first child node of the "<project>" element.
I then run the build command, and get the following error output:
$ lime build html5
/usr/lib/haxe/lib/openfl-bitfive/2,0,1/openfl/Assets.hx:487:
characters 31-57 : DefaultAssetLibrary should be openfl.AssetLibrary
/usr/lib/haxe/lib/openfl-bitfive/2,0,1/openfl/Assets.hx:487:
characters 31-57 : For function argument 'library'
/usr/lib/haxe/lib/lime/2,0,0-alpha,7/lime/system/System.hx:75:
characters 2-35 : Class<ApplicationMain> has no field config
/usr/lib/haxe/lib/lime/2,0,0-alpha,7/lime/system/System.hx:76:
characters 2-32 : Class<ApplicationMain> has no field config
/usr/lib/haxe/lib/lime/2,0,0-alpha,7/lime/system/System.hx:77:
characters 2-24 : Class<ApplicationMain> has no field create
As you can see, the openfl-bitfive library gets invoked, however,
something goes wrong, and I do not understand the error messages.
What is going wrong here?
Anyone out there who has successfully used openfl-bitfive to compile a HaxeFlixel project, please let me know how!
Libraries and versions:
$ haxelib list
flixel-addons: [1.1.0]
flixel-demos: [1.1.1]
flixel-templates: [1.0.2]
flixel-tools: [1.0.2]
flixel-ui: [1.0.2]
flixel: [3.3.5]
hxcpp: [3.1.39]
lime: [2.0.0-alpha.7]
openfl-bitfive: [2.0.1]
openfl: [2.1.5]
You don't need to set the HTML5 backend actually, it's flixel's default backend already.
However, bitfive is not yet compatible with the most recent OpenFL / Lime versions.
There are two options:
use OpenFL's default HTML5 backend via <set name="no-custom-backend" />
downgrade to openfl 2.0.1 / lime 1.0.1 / lime-tools 1.5.7
Unfortunately, openfl-bitfive: [2.0.1] is incompatible with lime: [2.0.0-alpha.7] and openfl: [2.1.5]. You need to switch back to openfl [2.0.1] for compiling with openfl-bitfive: [2.0.1].

Find and Replace with Notepad++

I have a document that was converted from PDF to HTML for use on a company website to be referenced and indexed for search. I'm attempting to format the converted document to meet my needs and in doing so I am attempting to clean up some of the junk that was pulled over from when it was a PDF such as page numbers, headers, and footers. luckily all of these lines that need to be removed are in blocks of 4 lines unfortunately they are not exactly the same therefore cannot be removed with a simple literal replace. The lines contain numbers which are incremental as they correlate with the pages. How can I remove the following example from my html file.
Title<br>
10<br>
<hr>
<A name=11></a>Footer<br>
I've tried many different regular expression attempts but as my skill in that area is limited I can't find the proper syntax. I'm sure i'm missing something fairly easy as it would seem all I need is a wildcard replace for the two numbers in the code and the rest is literal.
any help is apprciated
The search & replace of npp is quite odd. I can't find newline charactes with regular expression, although the documentation says:
As of v4.9 the Simple find/replace (control+h) has changed, allowing the use of \r \n and \t in regex mode and the extended mode.
I updated to the last version, but it just doesn't work. Using the extended mode allows me to find newlines, but I can't specify wildcards.
However, you can use the macros to overcome this problems.
prepare a search that will find a unique passage (like Title<br>\r\n, here you can use the extended mode)
start recording a macro
press F3 to use your search
mark the four lines and delete them
stop recording the macro ... done!
Just replay it and it deletes what you wanted to delete.
If I have understood your request correctly this pattern matches your string:
Title<br>( ?)\n([0-9]+)<br>( ?)\n<hr>( ?)\n<A name=([0-9]+)></a>Footer<br>
I use the Regex Coach to try out complicated regex patterns. Other utilities are available.
edit
As I do not use Notepad++ I cannot be sure that this pattern will work for you. Apologies if that transpires to be the case. (I'm a TextPad man myself, and it does work with that tool).

iconv gives "Illegal Character" with smart quotes -- how to get rid of them?

I have a MySQL table with 120,000 lines stored in UTF-8 format. There is one field, product name, that contains text with many accents. I need to fill a second field with this same name after converting it to a url-friendly form (ASCII).
Since PHP doesn't directly handle UTF-8, I'm using:
$value = iconv ('UTF-8', 'ISO-8859-1', $value);
to convert the name to ISO-8859-1, followed by a massive strstr statement to replace any accented character by its unaccented equivalent (à becomes a, for example).
However, the original text names were entered with smart quotes, and iconv chokes whenever it comes across one -- I get:
Unknown error type: [8]
iconv() [function.iconv]: Detected an illegal character in input string
To get rid of the smart quotes before using iconv, I have tried using three statements like:
$value = str_replace('’', "'", $value);
(’ is the raw value of a UTF-8 smart single quote)
Because the text file is so long, these str_replace's cause the script to time out every single time.
What is the fastest way to strip out the smart quotes (or any invalid characters) from a UTF-8 string, prior to running iconv?
Or, is there an easier solution to this whole problem? What is the fastest way to convert a name with many accents, in UTF-8, to a name with no accents, spelled correctly, in ASCII?
Glibc (and the GNU libiconv) supports //TRANSLIT and //IGNORE suffixes.
Thus, on Linux, this works just fine:
$ echo $'\xe2\x80\x99'
’
$ echo $'\xe2\x80\x99' | iconv -futf8 -tiso8859-1
iconv: illegal input sequence at position 0
$ echo $'\xe2\x80\x99' | iconv -futf8 -tiso8859-1//translit
'
I'm not sure what iconv is in use by PHP, but the documentation implies that //TRANSLIT and //IGNORE will work there too.
What do you mean by "link-friendly"? Only way that makes sense to me, since the text between <a>...</a> tags can be anything, is actually "URL-friendly", similar to SO's URLs where everything is converted to [a-z-].
If that's what you're going for, you'll need a transliteration library, not a character set conversion library. (I've had no luck getting iconv() to do the work in the past, but I haven't tried in a while.) There's a beta PHP extension translit that probably does the job.
If you can't add extensions to your PHP install, you'll have to look for a PHP library that does the same thing. I haven't used it, but the PHP UTF-8 library implements a utf8_to_ascii library that I assume does something like what you need.
(Also, if iconv() is failing like you said, it means that your input isn't actually valid UTF-8, so no amount of replacing valid UTF-8 with anything else will help the problem. EDIT: I may take that back: if ephemient's answer is correct, the iconv error you're seeing may very well be because there's no direct representation of the character in the destination character set. So, nevermind.)
Have you considered using MySQL's REPLACE string function to change the offending strings into apostrophes, or whatever? You may be able to put together the "string to be replaced" part e.g. by using CONCAT on CHAR calls...