cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

Windchill 9.1 - Rendering readonly Workflow variablesin HTML format

ddemay
1-Newbie
1-Newbie
‎Feb 10, 2010 02:23 PM
‎Feb 10, 2010 02:23 PM

Windchill 9.1 - Rendering readonly Workflow variablesin HTML format

Sounds like you need your own task form template JSP file to use. They are mentioned I think the customizers guide and workflow section of biz admin guide.

Sounds like html output in wf variables is being escaped so it ignored by browser and not rendered. Google html guides on how to display html tags in a webpage and that'll provide a clue as to how to bypass it using a custom task form template.



Sent from my Verizon Wireless BlackBerry
Labels:
0 Kudos
Notify Moderator
4 REPLIES 4
VivekPhadnis
1-Newbie
1-Newbie
(To:ddemay)
‎Feb 11, 2010 10:08 AM
‎Feb 11, 2010 10:08 AM

Thanks Iker,
Setting com.ptc.netmarkets.outputFilter to false did the trick.
Does anyone know about any side effects of setting this property to
false?

Regards
Vivek
0 Kudos
Notify Moderator
avillanueva
22-Sapphire II
22-Sapphire II
(To:ddemay)
‎Feb 11, 2010 10:44 AM
‎Feb 11, 2010 10:44 AM

I guess when you have large text fields, users can enter characters that
might be valid for what they are writing but would be interpreted as
HTML code. So when the webpage renders those text blocks, it can get
all fouled up.


0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:ddemay)
‎Feb 11, 2010 11:28 AM
‎Feb 11, 2010 11:28 AM

More than that -- not escaping such text will allow users to enter XSS
(cross-site scripting) attacks.

If the user enters something like:

This is my innocent description. <script>doSomethingNasty()</script>

That's not an issue if outputFilter is set to true and the pages which
render this input render it exactly as shown.

Setting outputFilter to false will guarantee ensure that pages which use
this property to control how they output will show:

This is my innocent description.

but will silently invoke doSomethingNasty().

Generally speaking allowing users to enter arbitrary HTML tags (and then
rendering them without escaping) is not a good thing and should be
disallowed except in cases where a really strict white list of allowable
markup is used to veto anything that is not absolutely known to be innocent.

--
Jess Holle

0 Kudos
Notify Moderator
AL_ANDERSON
5-Regular Member
5-Regular Member
(To:ddemay)
‎Feb 11, 2010 02:09 PM
‎Feb 11, 2010 02:09 PM

Have you tried this.

Through the site.xconf set the following entry in wt.properties. (Default
value was true)

com.ptc.netmarkets.outputFilter=false.

Al Anderson
Solar Turbines Incorporated.






"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>
02/10/2010 09:48 AM
Please respond to
"Lockwood,Mike,IRVINE,R&D" <mike.lockwood@alconlabs.com>


To
"Phadnis, Vivek" <vivek.phadnis@stryker.com>,
"-" <->
cc

Subject
[solutions] - RE: Windchill 9.1 - Rendering readonly Workflow variables in
HTML format



0 Kudos
Notify Moderator
Top Tags