You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Stefan Bohn (JIRA)" <ji...@apache.org> on 2010/01/28 09:53:34 UTC
[jira] Created: (JSPWIKI-633) changenote and replaceEntities
changenote and replaceEntities
------------------------------
Key: JSPWIKI-633
URL: https://issues.apache.org/jira/browse/JSPWIKI-633
Project: JSPWiki
Issue Type: Bug
Components: Core & storage
Affects Versions: 2.8.3
Environment: Redhat Linux, Tomcat 6.0.16
Reporter: Stefan Bohn
Priority: Minor
When editing a page, you can enter the changenote.
Edit.jsp, Line 45:
String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
RecentChangePlugin.java, Line 217
row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
So the entities of the text entered via Edit.jsp are replaced twice.
PageRenamer.java Lines 139 and 206:
p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-633) changenote and replaceEntities
Posted by "Stefan Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806353#action_12806353 ]
Stefan Bohn commented on JSPWIKI-633:
-------------------------------------
When someone edits a page and adds a changenote like "change a -> b" it will then be displayed on the recent changes like "change a-> b".
This is, that while saving the changenote > will be replaced by >
Then when generating the recent changes the & will again be replaced by & leading to the double qouted output.
Renaming a page writes the changenot as ==> and recent changes generates ==>
> changenote and replaceEntities
> ------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Priority: Minor
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-633) changenote and replaceEntities
Posted by "Stefan Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806417#action_12806417 ]
Stefan Bohn commented on JSPWIKI-633:
-------------------------------------
Harry,
the quoting with replaceEntity is ok, but it should only be done once...
When you edit a page, the changenote gets quoted.
And when the RecentChangePlugin reads the changenote from the file, it is again quoted.
So the generated html is double qouted and you see the html-entity instead of the expected sign on the webpage.
(using spaces between chars because of JIRA... I'm still struggling with JIRA markup ;) )
user input: >
saved file contains: & g t ;
generated html from RecentChangePlugin: & a m p ; g t ;
with rename, the saved file contains: = = >
generated html from RecentChangePlugin: = = & g t ;
Both places, where the changenote is saved, should replace the entites. So the RecentChangePlugin must not replace it again.
(hope, JIRA does not mix up my text again...)
> changenote and replaceEntities
> ------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Priority: Minor
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-633) changenote and replaceEntities
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806398#action_12806398 ]
Harry Metske commented on JSPWIKI-633:
--------------------------------------
I am a bit confused about what you are considering a bug.
Is it the replacement of {noformat}>{noformat} by {noformat}>{noformat} , or the fact that we don't call ReplaceEntities during page rename ?
We do the replaceEntities for security reasons on input fields like changnote, where bad guys coud stick in something like {noformat}<script>alert('XSS')</script>{noformat}
While renaming a page, you cannot enter a changenote or something else that contains user-supplied input.
Can you describe what change you think is necessary ?
> changenote and replaceEntities
> ------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Priority: Minor
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-633) changenote and replaceEntities
Posted by "Stefan Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806355#action_12806355 ]
Stefan Bohn commented on JSPWIKI-633:
-------------------------------------
Oh, JIRA generates strikethrough...
It was "change a <minus><greater than> b" will be displayed like "change a <minus><ambersand>gt<semicolon> b"
a->b
a & gt; b
> changenote and replaceEntities
> ------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Priority: Minor
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JSPWIKI-633) changenote and replaceEntities done
multiple times
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harry Metske updated JSPWIKI-633:
---------------------------------
Security: (was: Security Vulnerability Disclosure)
> changenote and replaceEntities done multiple times
> --------------------------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage, Default template
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Assignee: Harry Metske
> Priority: Minor
> Fix For: 2.8.4
>
> Attachments: ff.patch
>
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-633) changenote and replaceEntities
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12806035#action_12806035 ]
Harry Metske commented on JSPWIKI-633:
--------------------------------------
Stefan,
why do you think it is necessary to "replaceEntities" on pageNames ?
regards,
Harry
> changenote and replaceEntities
> ------------------------------
>
> Key: JSPWIKI-633
> URL: https://issues.apache.org/jira/browse/JSPWIKI-633
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.8.3
> Environment: Redhat Linux, Tomcat 6.0.16
> Reporter: Stefan Bohn
> Priority: Minor
>
> When editing a page, you can enter the changenote.
> Edit.jsp, Line 45:
> String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
> RecentChangePlugin.java, Line 217
> row.addElement( new td(changenote != null ? TextUtil.replaceEntities(changenote) : "").setClass("changenote") );
> So the entities of the text entered via Edit.jsp are replaced twice.
> PageRenamer.java Lines 139 and 206:
> p.setAttribute( WikiPage.CHANGENOTE, fromPage.getName()+" ==> "+toPage.getName() );
> TextUtil.replaceEntities is not called.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.