You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Swapnil M Mane (JIRA)" <ji...@apache.org> on 2018/04/21 04:09:00 UTC
[jira] [Commented] (OFBIZ-10356) display of entities in text input
field
[ https://issues.apache.org/jira/browse/OFBIZ-10356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446622#comment-16446622 ]
Swapnil M Mane commented on OFBIZ-10356:
----------------------------------------
Thanks [~rmallah] for reporting this issue.
Hi team,
Special character in the product name is shown due to HTML escaping in the code.
ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/>
{code}
This change was intentional, done by Jacques many years ago at [r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue.
I guess this change was done to protect from Script Injection Attacks.
IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this code, thank you!
> display of entities in text input field
> ---------------------------------------
>
> Key: OFBIZ-10356
> URL: https://issues.apache.org/jira/browse/OFBIZ-10356
> Project: OFBiz
> Issue Type: Improvement
> Components: product
> Reporter: Rajesh Kumar Mallah
> Assignee: Swapnil M Mane
> Priority: Minor
>
>
> In the url:
> [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1006-1]
>
> the "Product Name" under "Override Simple Fields" is unnecessarily
> expressed in entity format . The string displayed in product name
> field is: "Open Gizmo (LGPL)" it could have been a
> simple "Open Gizmo (LGPL)"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)