Fixed:

On webtools the FindGeneric screen (/webtools/entity/find/{entityName}) have an issue with the sort order. After a search if you click to sort the list, you lost the entityName and your search. The analysis look that come from the url encode (MacroFormRenderer.java:2141), who result a bad interpretation during ftl rendering. **** linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8"))); **** This has been introduced with jira OFBIZ-8302 for security reason. To solve this, we implement a new function on UtilCodec.java to ask it if we need to encode the url or not with the presence of the variable escapeUrlEncode. Like is test on root context, we need to set this variable on our code where we want to escape the encoding, just before call the MacroRenderer. This it not accessible from the request so no risk for the security origin fix.
apache · Oct 3, 2024 · 013105f · 013105f
1 parent 8f5412a
commit 013105f
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 4 deletions.
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -390,6 +390,28 @@ static String canonicalize(String input, boolean restrictMultiple, boolean restr
         return working;
     }
 
+    /**
+     * Generic function to easily call url encoding with OFBiz rules
+     * @param queryString
+     * @return encoding url with OFBiz rule
+     */
+    public static String encodeUrl(String queryString) {
+        return getEncoder("url").encode(queryString);
+    }
+
+    /**
+     * Check if an escapeUrlEncode is present in the context, to escape url encoding in a specific case
+     * This is necessary if the url is sent to another encoding tool.
+     * @param queryString
+     * @param context
+     * @return encoding url with OFBiz rule
+     */
+    public static String encodeUrl(String queryString, Map<String, Object> context) {
+        return "true".equalsIgnoreCase((String) context.get("escapeUrlEncode"))
+                ? queryString
+                : encodeUrl(queryString);
+    }
+
     /**
      * Uses a black-list approach for necessary characters for HTML.
      * Does not allow various characters (after canonicalization), including

diff --git a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy
@@ -32,6 +32,11 @@ import org.apache.ofbiz.widget.renderer.macro.MacroFormRenderer
 import org.w3c.dom.Document
 
 ModelEntity modelEntity = null
+
+// escape the security url encoding that break the sortField with the ftl rendering
+// no security issue here, nothing come from the request
+context.escapeUrlEncode = "true"
+
 try {
     modelEntity = delegator.getModelEntity(parameters.entityName)
 } catch (GenericEntityException e) {

diff --git a/framework/webtools/template/entity/FindGeneric.ftl b/framework/webtools/template/entity/FindGeneric.ftl
@@ -17,5 +17,5 @@ specific language governing permissions and limitations
 under the License.
 -->
     <#if entityName?has_content>
-        ${dynamicAutoEntitySearchForm?string}
+        ${StringUtil.wrapString(dynamicAutoEntitySearchForm)}
     </#if>
diff --git a/framework/webtools/template/entity/ListGeneric.ftl b/framework/webtools/template/entity/ListGeneric.ftl
@@ -1,3 +1,4 @@
+<#ftl output_format="plainText">
 <#--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
@@ -17,7 +18,7 @@ specific language governing permissions and limitations
 under the License.
 -->
     <#if entityName?has_content>
-        ${dynamicAutoEntityListForm?string}
+        ${StringUtil.wrapString(dynamicAutoEntityListForm)}
     <#else>
         ${uiLabelMap['genericWebEvent.entity_name_not_specified']}
     </#if>
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -22,7 +22,6 @@
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -2138,7 +2137,7 @@ public void renderSortField(Appendable writer, Map<String, Object> context, Mode
                 newQueryString = newQueryString.replace("?null=LinkFromQBEString", "?sortField=LinkFromQBEString");
                 linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(newQueryString));
             } else {
-                linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8")));
+                linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(UtilCodec.encodeUrl(newQueryString, context)));
             }
         }
         StringWriter sr = new StringWriter();