You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "ian tabangay (JIRA)" <ji...@apache.org> on 2008/09/26 09:01:44 UTC
[jira] Created: (OFBIZ-1970) unescaped html special characters
create problems in pages
unescaped html special characters create problems in pages
----------------------------------------------------------
Key: OFBIZ-1970
URL: https://issues.apache.org/jira/browse/OFBIZ-1970
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk, Release Branch 4.0
Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM
Reporter: ian tabangay
Priority: Minor
HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.
I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-1970) unescaped html special characters
create problems in pages
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-1970.
----------------------------------
Resolution: Duplicate
There are already a lot of issues open about thid subject
> unescaped html special characters create problems in pages
> ----------------------------------------------------------
>
> Key: OFBIZ-1970
> URL: https://issues.apache.org/jira/browse/OFBIZ-1970
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk, Release Branch 4.0
> Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM
> Reporter: ian tabangay
> Priority: Minor
>
> HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.
> I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.