From 1740018f469e906380a3ebcab74d7ac84cfd10a4 Mon Sep 17 00:00:00 2001 From: Nicolas Malin Date: Thu, 3 Oct 2024 10:48:36 +0200 Subject: [PATCH] Fixed: On webtools the FindGeneric screen (/webtools/entity/find/{entityName}) have an issue with the sort order. After a search if you click to sort the list, you lost the entityName and your search. The analysis look that come from the url encode (MacroFormRenderer.java:2141), who result a bad interpretation during ftl rendering. **** linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8"))); **** This has been introduced with jira OFBIZ-8302 for security reason. To solve this, we implement a new function on UtilCodec.java to ask it if we need to encode the url or not with the presence of the variable escapeUrlEncode. Like is test on root context, we need to set this variable on our code where we want to escape the encoding, just before call the MacroRenderer. This it not accessible from the request so no risk for the security origin fix. --- .../org/apache/ofbiz/base/util/UtilCodec.java | 22 +++++++++++++++++++ .../ofbiz/webtools/entity/FindGeneric.groovy | 5 +++++ .../webtools/template/entity/FindGeneric.ftl | 2 +- .../webtools/template/entity/ListGeneric.ftl | 3 ++- .../renderer/macro/MacroFormRenderer.java | 3 +-- 5 files changed, 31 insertions(+), 4 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java index 18c8cd210e2..2c7fae4427c 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java @@ -390,6 +390,28 @@ static String canonicalize(String input, boolean restrictMultiple, boolean restr return working; } + /** + * Generic function to easily call url encoding with OFBiz rules + * @param queryString + * @return encoding url with OFBiz rule + */ + public static String encodeUrl(String queryString) { + return getEncoder("url").encode(queryString); + } + + /** + * Check if an escapeUrlEncode is present in the context, to escape url encoding in a specific case + * This is necessary if the url is sent to another encoding tool. + * @param queryString + * @param context + * @return encoding url with OFBiz rule + */ + public static String encodeUrl(String queryString, Map context) { + return "true".equalsIgnoreCase((String) context.get("escapeUrlEncode")) + ? queryString + : encodeUrl(queryString); + } + /** * Uses a black-list approach for necessary characters for HTML. * Does not allow various characters (after canonicalization), including diff --git a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy index acb7f12ef8d..e353a52b6d6 100644 --- a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy +++ b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy @@ -32,6 +32,11 @@ import org.apache.ofbiz.widget.renderer.macro.MacroFormRenderer import org.w3c.dom.Document ModelEntity modelEntity = null + +// escape the security url encoding that break the sortField with the ftl rendering +// no security issue here, nothing come from the request +context.escapeUrlEncode = "true" + try { modelEntity = delegator.getModelEntity(parameters.entityName) } catch (GenericEntityException e) { diff --git a/framework/webtools/template/entity/FindGeneric.ftl b/framework/webtools/template/entity/FindGeneric.ftl index dd11ef656da..2c8e8216798 100644 --- a/framework/webtools/template/entity/FindGeneric.ftl +++ b/framework/webtools/template/entity/FindGeneric.ftl @@ -17,5 +17,5 @@ specific language governing permissions and limitations under the License. --> <#if entityName?has_content> - ${dynamicAutoEntitySearchForm?string} + ${StringUtil.wrapString(dynamicAutoEntitySearchForm)} \ No newline at end of file diff --git a/framework/webtools/template/entity/ListGeneric.ftl b/framework/webtools/template/entity/ListGeneric.ftl index 60258fe7ca0..f4e8fd4711b 100644 --- a/framework/webtools/template/entity/ListGeneric.ftl +++ b/framework/webtools/template/entity/ListGeneric.ftl @@ -1,3 +1,4 @@ +<#ftl output_format="plainText"> <#-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file @@ -17,7 +18,7 @@ specific language governing permissions and limitations under the License. --> <#if entityName?has_content> - ${dynamicAutoEntityListForm?string} + ${StringUtil.wrapString(dynamicAutoEntityListForm)} <#else> ${uiLabelMap['genericWebEvent.entity_name_not_specified']} diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java index cd2602e8c8d..d087fbbe09a 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java @@ -22,7 +22,6 @@ import java.io.StringWriter; import java.io.UnsupportedEncodingException; import java.net.URI; -import java.net.URLEncoder; import java.util.ArrayList; import java.util.HashSet; import java.util.Iterator; @@ -2138,7 +2137,7 @@ public void renderSortField(Appendable writer, Map context, Mode newQueryString = newQueryString.replace("?null=LinkFromQBEString", "?sortField=LinkFromQBEString"); linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(newQueryString)); } else { - linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8"))); + linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(UtilCodec.encodeUrl(newQueryString, context))); } } StringWriter sr = new StringWriter();