Fórumok

portlet-model-hints.xml documentation: is there such a thing?

thumbnail
Adam Victor Nazareth Brandizzi, módosítva 12 év-val korábban

portlet-model-hints.xml documentation: is there such a thing?

Junior Member Bejegyzések: 67 Csatlakozás dátuma: 2010.04.30. Legújabb bejegyzések
Hello, all!

If there is something I really love about Liferay, it is the DTDs of various XML formats. They are some of the clearest, most useful documentations I have put my eyes on. Unfortunately, however, there is not DTD for the portlet-model-hints.xml format AFAIK.

So, how could I learn about this file, the available options etc. etc? Is there some kind of reference manual for it?

Thanks in advance!
thumbnail
David H Nebinger, módosítva 12 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing? (Válasz)

Liferay Legend Bejegyzések: 14914 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
Nope, no DTD and no manual.

Best documentation I could find was the portal-model-hints.xml file in the portal source, but even that's a struggle to get through...
thumbnail
Adam Victor Nazareth Brandizzi, módosítva 12 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Junior Member Bejegyzések: 67 Csatlakozás dátuma: 2010.04.30. Legújabb bejegyzések
David H Nebinger:
Nope, no DTD and no manual.

Best documentation I could find was the portal-model-hints.xml file in the portal source, but even that's a struggle to get through...


That is sad... But thanks for the recommendation anyway.
thumbnail
Olaf Kock, módosítva 10 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Liferay Legend Bejegyzések: 6396 Csatlakozás dátuma: 2008.09.23. Legújabb bejegyzések
I know this is an old thread, and as it can be found when searching for model-hints and documentation: Your voices have been heard: There's a chapter available in the developer's guide: Here's the link for 6.1, and the one for 6.2
thumbnail
mohammad azaruddin, módosítva 9 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Expert Bejegyzések: 492 Csatlakozás dátuma: 2012.09.17. Legújabb bejegyzések
Olaf Kock:
I know this is an old thread, and as it can be found when searching for model-hints and documentation: Your voices have been heard: There's a chapter available in the developer's guide: Here's the link for 6.1, and the one for 6.2



Yeah but how to set date format ..Please help
thumbnail
David H Nebinger, módosítva 8 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Liferay Legend Bejegyzések: 14914 Csatlakozás dátuma: 2006.09.02. Legújabb bejegyzések
Date format? No where.

When you are storing a date in the database you'll typically end up using the datetime column type in the database to store an actual date value. Format is not relative in this discussion.

If you're talking about display formatting, well that also is not part of the data model at all and is left for you to manage in your portlet.
thumbnail
mohammad azaruddin, módosítva 10 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Expert Bejegyzések: 492 Csatlakozás dátuma: 2012.09.17. Legújabb bejegyzések
HI david

Can you Please explain the use of

<sanitize content-type="text/html" modes="ALL" />
thumbnail
Adam Victor Brandizzi, módosítva 10 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

New Member Bejegyzések: 13 Csatlakozás dátuma: 2013.03.11. Legújabb bejegyzések
Hello, Mohammad.

The line

<sanitize content-type="text/html" modes="ALL" />


indicates that the values to the field should be sanitized by all modes. Of course, a question remains:

What is sanitizing?

Well, as a web developer you probably are used to escape values to display in the HTML, right? For example, suppose you have some portlet which will receive user input, store it in the database and then display it. If your user inserts the following value in a field of your portlet...

<script>alert('XSS attack!');</script>


...and you just displayed the value from the user, other users would see an annoying alert every time they access the portlet. To avoid it we escape the value before presenting it. Instead of writing in our JSP the code below:

&lt;%= valueFromDatabase %&gt;


...we write this:

&lt;%= HtmlUtil.escape(valueFromDatabase) %&gt;


This, however, does not solve all problems. For example, we often have to display HTML content from the user - for example, a blog post - but still would like to prevent XSS. Since the user's HTML should be displayed, we cannot escape it. Also, sometimes we would want to prevent users for entering some offensive words or expressions. Both tasks (presenting XSS-free HTML content and removing blacklisted words) are much more complex than merely escaping HTML, and probably will involve resource-intensive heuristics.

Those tasks are called sanitizing and since they are much more costly than mere escaping they are executed before storing the values in the database. We cannot afford sanitizing HTML at each request, after all.

Sanitizer API, Sanitizer modes and portlet-model-hints.xml

Since version 6.0 Liferay provides Sanitizer API. This API offers two types of sanitizing: removing offensive content (MODE_BAD_WORDS) and preventing XSS (MODE_XSS). The Sanitizer API has also the MODE_ALL, which applies both modes. As we will see, the modes="ALL" in your line is to select this mode.

We can use the Sanitizer API directly at our actions and services. It is not complex, to be honest; however, if we are using the Service Builder, it can be yet easier: just add the tag <sanitize> in the target field at portlet-model-hints.xml. This tag expects two attributes: the content type of the field and one of the modes described below.

For example, in the line you posted:

<sanitize content-type="text/html" modes="ALL" />


...the field is supposed to contain HTML content and be sanitized out of all XSS attacks and curse words.

If you add the tag to the field, and choose, let us say, the XSS mode, the field value will be automatically sanitized before being persisted! It can't be easier than that, right? emoticon

A final note: the AntiSamy plugin

Now, the surprising news: the Sanitizer API does not sanitize anything - Liferay has no real sanitizer out of the box. This happens because sanitizing is a very complex task and organizations have different needs, so each one can implement its own sanitizers. If you take a look at the AntiSamy Project from OWASP, you will see there are various different ways of sanitizing HTML. Of course, there are some very, very common needs, and there is free plugin available which addresses these needs.

To effectively sanitize your data, you should install the AntiSamy hook from marketplace. Only after deploying this plugin the Sanitizer API (either called directly or requested through portlet-model-hints.xml) will effectively clear your data.

I hope to have made it clear; maybe this text explains more details than needed, after, all. If you have any question, just ask it.
thumbnail
mohammad azaruddin, módosítva 10 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Expert Bejegyzések: 492 Csatlakozás dátuma: 2012.09.17. Legújabb bejegyzések
HI Adam Victor Brandizzi

Theoretically concept is clear.... emoticonemoticonemoticon Thank you for explaining in detail
Ripal thakkar, módosítva 9 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

New Member Bejegyzések: 14 Csatlakozás dátuma: 2011.06.30. Legújabb bejegyzések
Very well explained...really helpful post...thanks Adam!
thumbnail
Hitoshi Ozawa, módosítva 12 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing? (Válasz)

Liferay Legend Bejegyzések: 7942 Csatlakozás dátuma: 2010.03.24. Legújabb bejegyzések
Check the following wiki page under model hints

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Customize+DB+Column+Sizes
thumbnail
Adam Victor Nazareth Brandizzi, módosítva 12 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Junior Member Bejegyzések: 67 Csatlakozás dátuma: 2010.04.30. Legújabb bejegyzések
Hitoshi Ozawa:
Check the following wiki page under model hints

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Customize+DB+Column+Sizes


That is a great page. Thanks! Unfortunately, it seems to be incomplete but can be helpful.
thumbnail
Hitoshi Ozawa, módosítva 12 év-val korábban

RE: portlet-model-hints.xml documentation: is there such a thing?

Liferay Legend Bejegyzések: 7942 Csatlakozás dátuma: 2010.03.24. Legújabb bejegyzések
Wiki pages are written and edited by community members. If you know something that's not written yet, would appreciate if you can add to it. emoticon