Troubleshooting
Problem
Attempts to use special characters in item image names does not render image in IBM Sterling Web Store.
Symptom
Steps to reproduce:
- Create content location in Application Manager. In content location mention URL of the image server with complete path where images are stored.
Application Manager-Catalog Management-Catalog configuration-Assets-Content Location.
- Login to SBC, search for item and open Item details screen.
- On Item Details screen click on Merchandising and Sales-Manage Sales Information.
- Select Item Image Server (configured in step1) and mention Item image file name. ( e.g. 1234?$test).
- Click save.
The image does not get displayed.
- Now, edit the Item image file name to 1234 and save. The image is displayed fine.
Cause
WSC being a web application, would need to have additional security
measures. In this case, the image url is escaped to sanitize the input
and to prevent any js based attacks.
Diagnosing The Problem
When you view the image properties of the broken image in Sterling WebStore, the ? and $ characters are encoded, which appears to be the cause of the image not being found on the image server.
Resolving The Problem
WSC being a web application, would need to have additional security measures. In this case, the image url is escaped to sanitize the input and to prevent any js based attacks. If url doesn't have any special characters, the escaped string will be same as original string and hence image will be loaded as expected. The escaping of image URL is as intended, which is done for security purposes. The issue here seems to be with Adobe scene7.
Below approach is documented by adobe as an alternative way to specify the dollar signs in URL:
http://helpx.adobe.com/experience-manager/scene7/kb/base/image-not-appearing-layered-templates/problem-templates-web-e-mail.html
However, this approach can make it difficult to update hundreds of items comprising of the special characters.
Workaround:
You have to extend the file and change it to skip escaping the $ signs. Note that, in this approach any file change to the original shipped file have to be reconciled to the extended file. This being a core platform file, very minimal changes can be expected.
- Make a copy of the file
<YFS_RT>repositoryeardataplatform_uifwkdojo_framework10warplatformscript
sscplatdojowidgetsImage.js
and save it as
<YFS_RT>repositoryeardataplatform_uifwkdojo_framework10extnplatformscrip
tsscplatdojowidgetsImage.js
- In the new location ( extn ) , replace the occurrence of encodeURIComponent() with encodeURI().
- Rebuild the EAR/WAR and redeploy.
By making the above change, product is not compromising on the application security completely, But if there is a way that it can use these unescaped literals for an exploit - that part is left open.
The encodeURI() function is used to encode a URI.
This function encodes special characters, except: , / ? : @ & = + $ #. (Use encodeURIComponent() to encode these characters).
Related Information
Was this topic helpful?
Document Information
Modified date:
11 February 2020
UID
swg21962555