[Roller-JIRA] Commented: (ROL-1216) HTML allowed in the Name field of createWebsite.do causes issues. If an image tag is inserted, the image appears on main page and in the blogger directory.

["David Johnson (JIRA)" <no...@atlassian.com>]

    [ http://opensource.atlassian.com/projects/roller/browse/ROL-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_13933 ] 

David Johnson commented on ROL-1216:
------------------------------------

I don't believe there is any reason to prevent people from entering angle brackets and HTML or XML tags in a weblog name, those are valid plain text things. 

At display time, we must treat the name as plain text, i.e. escape it so that any tags it contains are not interpreted as HTML. We do that consistently for our RSS/Atom feeds and we should also do it in the Roller themes.

So, the way to fix this problem in your blogger directory is to use the $utils.escapeHTML() method to escape any weblog name that you display.



> HTML allowed in the Name field of createWebsite.do causes issues. If an image tag is inserted, the image appears on main page and in the blogger directory.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ROL-1216
>                 URL: http://opensource.atlassian.com/projects/roller/browse/ROL-1216
>             Project: Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 3.0
>         Environment: All
>            Reporter: Rob Wilson
>            Assignee: Allen Gilliland
>             Fix For: 4.0
>
>
> Disallow html in the Name field of createWebsite.do page. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/roller/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira