You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@continuum.apache.org by "Brent N Atkinson (JIRA)" <ji...@apache.org> on 2015/05/04 14:55:06 UTC

[jira] [Closed] (CONTINUUM-1983) unescaped HTML in SCM Changes summary

     [ https://issues.apache.org/jira/browse/CONTINUUM-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brent N Atkinson closed CONTINUUM-1983.
---------------------------------------
    Resolution: Fixed
      Assignee: Brent N Atkinson

This has been addressed in 1.5. For details, see CONTINUUM-2763.

> unescaped HTML in SCM Changes summary
> -------------------------------------
>
>                 Key: CONTINUUM-1983
>                 URL: https://issues.apache.org/jira/browse/CONTINUUM-1983
>             Project: Continuum
>          Issue Type: Bug
>          Components: Web - UI
>    Affects Versions: 1.1, 1.3.3 (Beta)
>         Environment: Linux
>            Reporter: Reimer Prochnow
>            Assignee: Brent N Atkinson
>            Priority: Minor
>              Labels: backlog-to-cleanup
>
> If you write HTML in scm commit comments, this HTML is shown in the SCM changes summary section on the build result page.
> It should be escaped for security issues.
> The page involved is:
> continuum-webapp\src\main\webapp\WEB-INF\jsp\buildresult.jsp, Line 61
> <ec:column property="comment" title="buildResult.changes.comment" />
> But the columns are rendered by extremecomponents taglib.
> This should be able to escape HTML by configuration, unfortunately i do not find any documentation on this taglib



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)