(ofbiz-framework) branch release24.09 updated: Fixed: On webtools the FindGeneric screen (/webtools/entity/find/{entityName}) have an issue with the sort order.

[nmalin]

This is an automated email from the ASF dual-hosted git repository.

nmalin pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 013105f047 Fixed: On webtools the FindGeneric screen 
(/webtools/entity/find/{entityName}) have an issue with the sort order.
013105f047 is described below

commit 013105f0476227f14d891b3d2cca601ee90bcad7
Author: Nicolas Malin <nicolas.ma...@nereide.fr>
AuthorDate: Thu Oct 3 10:48:36 2024 +0200

    Fixed:
    On webtools the FindGeneric screen (/webtools/entity/find/{entityName}) 
have an issue with the sort order.
    
    After a search if you click to sort the list, you lost the entityName and 
your search. The analysis look that come from the url encode 
(MacroFormRenderer.java:2141), who result a bad interpretation during ftl 
rendering.
    
      ****
        linkUrl = rh.makeLink(this.request, this.response, 
urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8")));
      ****
    
    This has been introduced with jira OFBIZ-8302 for security reason.
    
    To solve this, we implement a new function on UtilCodec.java to ask it if 
we need to encode the url or not with the presence of the variable 
escapeUrlEncode.
    
    Like is test on root context, we need to set this variable on our code 
where we want to escape the encoding, just before call the MacroRenderer. This 
it not accessible from the request so no risk for the security origin fix.
---
 .../java/org/apache/ofbiz/base/util/UtilCodec.java | 22 ++++++++++++++++++++++
 .../ofbiz/webtools/entity/FindGeneric.groovy       |  5 +++++
 framework/webtools/template/entity/FindGeneric.ftl |  2 +-
 framework/webtools/template/entity/ListGeneric.ftl |  3 ++-
 .../widget/renderer/macro/MacroFormRenderer.java   |  3 +--
 5 files changed, 31 insertions(+), 4 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
index 18c8cd210e..2c7fae4427 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
@@ -390,6 +390,28 @@ public class UtilCodec {
         return working;
     }
 
+    /**
+     * Generic function to easily call url encoding with OFBiz rules
+     * @param queryString
+     * @return encoding url with OFBiz rule
+     */
+    public static String encodeUrl(String queryString) {
+        return getEncoder("url").encode(queryString);
+    }
+
+    /**
+     * Check if an escapeUrlEncode is present in the context, to escape url 
encoding in a specific case
+     * This is necessary if the url is sent to another encoding tool.
+     * @param queryString
+     * @param context
+     * @return encoding url with OFBiz rule
+     */
+    public static String encodeUrl(String queryString, Map<String, Object> 
context) {
+        return "true".equalsIgnoreCase((String) context.get("escapeUrlEncode"))
+                ? queryString
+                : encodeUrl(queryString);
+    }
+
     /**
      * Uses a black-list approach for necessary characters for HTML.
      * Does not allow various characters (after canonicalization), including
diff --git 
a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy
 
b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy
index acb7f12ef8..e353a52b6d 100644
--- 
a/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy
+++ 
b/framework/webtools/src/main/groovy/org/apache/ofbiz/webtools/entity/FindGeneric.groovy
@@ -32,6 +32,11 @@ import 
org.apache.ofbiz.widget.renderer.macro.MacroFormRenderer
 import org.w3c.dom.Document
 
 ModelEntity modelEntity = null
+
+// escape the security url encoding that break the sortField with the ftl 
rendering
+// no security issue here, nothing come from the request
+context.escapeUrlEncode = "true"
+
 try {
     modelEntity = delegator.getModelEntity(parameters.entityName)
 } catch (GenericEntityException e) {
diff --git a/framework/webtools/template/entity/FindGeneric.ftl 
b/framework/webtools/template/entity/FindGeneric.ftl
index dd11ef656d..2c8e821679 100644
--- a/framework/webtools/template/entity/FindGeneric.ftl
+++ b/framework/webtools/template/entity/FindGeneric.ftl
@@ -17,5 +17,5 @@ specific language governing permissions and limitations
 under the License.
 -->
     <#if entityName?has_content>
-        ${dynamicAutoEntitySearchForm?string}
+        ${StringUtil.wrapString(dynamicAutoEntitySearchForm)}
     </#if>
\ No newline at end of file
diff --git a/framework/webtools/template/entity/ListGeneric.ftl 
b/framework/webtools/template/entity/ListGeneric.ftl
index 60258fe7ca..f4e8fd4711 100644
--- a/framework/webtools/template/entity/ListGeneric.ftl
+++ b/framework/webtools/template/entity/ListGeneric.ftl
@@ -1,3 +1,4 @@
+<#ftl output_format="plainText">
 <#--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
@@ -17,7 +18,7 @@ specific language governing permissions and limitations
 under the License.
 -->
     <#if entityName?has_content>
-        ${dynamicAutoEntityListForm?string}
+        ${StringUtil.wrapString(dynamicAutoEntityListForm)}
     <#else>
         ${uiLabelMap['genericWebEvent.entity_name_not_specified']}
     </#if>
diff --git 
a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
 
b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
index cd2602e8c8..d087fbbe09 100644
--- 
a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
+++ 
b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -22,7 +22,6 @@ import java.io.IOException;
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -2138,7 +2137,7 @@ public final class MacroFormRenderer implements 
FormStringRenderer {
                 newQueryString = 
newQueryString.replace("?null=LinkFromQBEString", 
"?sortField=LinkFromQBEString");
                 linkUrl = rh.makeLink(this.request, this.response, 
urlPath.concat(newQueryString));
             } else {
-                linkUrl = rh.makeLink(this.request, this.response, 
urlPath.concat(URLEncoder.encode(newQueryString, "UTF-8")));
+                linkUrl = rh.makeLink(this.request, this.response, 
urlPath.concat(UtilCodec.encodeUrl(newQueryString, context)));
             }
         }
         StringWriter sr = new StringWriter();