You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "ian tabangay (JIRA)" <ji...@apache.org> on 2008/09/26 09:01:44 UTC

[jira] Created: (OFBIZ-1970) unescaped html special characters create problems in pages

unescaped html special characters create problems in pages
----------------------------------------------------------

                 Key: OFBIZ-1970
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1970
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: SVN trunk, Release Branch 4.0
         Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM
            Reporter: ian tabangay
            Priority: Minor


HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.

I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (OFBIZ-1970) unescaped html special characters create problems in pages

Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/OFBIZ-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-1970.
----------------------------------

    Resolution: Duplicate

There are already a lot of issues open about thid subject

> unescaped html special characters create problems in pages
> ----------------------------------------------------------
>
>                 Key: OFBIZ-1970
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1970
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk, Release Branch 4.0
>         Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM
>            Reporter: ian tabangay
>            Priority: Minor
>
> HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.
> I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.