You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Jean-Philippe Boudreault (Created) (JIRA)" <ji...@apache.org> on 2012/04/17 18:59:17 UTC
[jira] [Created] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
--------------------------------------------------------------------------------------------------------
Key: WICKET-4505
URL: https://issues.apache.org/jira/browse/WICKET-4505
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.5.5
Reporter: Jean-Philippe Boudreault
User input is not escaped in all text fields by default
This leads to user entered text not being redisplayed correctly and it also makes those text fields vulnerable to XSS.
* You can replicate using the project from WICKET-3330.
* Just enter the text my½companyname and press enter
* The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13261111#comment-13261111 ]
Sven Meier commented on WICKET-4505:
------------------------------------
Markup attributes are now unescaped while parsing the markup. I removed the unescaping during rendering of TagAttributes.
Tests and Andrea's quickstart work fine now.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Assignee: Sven Meier
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13261593#comment-13261593 ]
Jean-Philippe Boudreault commented on WICKET-4505:
--------------------------------------------------
Thanks for addressing and fixing the issue!
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Assignee: Sven Meier
> Fix For: 1.5.6, 6.0.0-RC1
>
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258326#comment-13258326 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
It also happens to me under Linux Ubuntu 64bit, Jetty 6.1.26 and using current 1.5.x head. If I remove the overridden version of method put from class TagAttributes (i.e. value is no more unescaped) the input is redisplayd correctly.
I will do some more debugging as soon as possible.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Meier resolved WICKET-4505.
--------------------------------
Resolution: Fixed
Fix Version/s: 6.0.0-RC1
1.5.6
unescape markup attribute during parsing, don't unescape while rendering
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Assignee: Sven Meier
> Fix For: 1.5.6, 6.0.0-RC1
>
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13259544#comment-13259544 ]
Martin Grigorov commented on WICKET-4505:
-----------------------------------------
The demo app works fine for me too.
I ran "mvn jetty:run" with 6.1.26 and with Start.java with Jetty 7.5.0. Tested with Chrome/Ubuntu and IE9/Windows7. Wicket 1.5-SNAPSHOT.
Please attach a quickstart to this ticket that shows the problem without any modifications required by me. I needed to tweak the app from 3330 to be able to run it.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258217#comment-13258217 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
The discussion from WICKET-3608 explains why it was choosen to unescape the value of the attributes when it is displayed (see Attila's comment on 26/Apr/11 ).
@Sven
in order to reproduce the issue you must use Wicket 1.5-RC4 or any later version.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258243#comment-13258243 ]
Sven Meier commented on WICKET-4505:
------------------------------------
@Andrea
I've tested this with current 1.5.x head, and it works.
Note that we don't talk about attributes from the markup, but entered values sent from the browser.
@Jean-Phillip
Can you confirm this?
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257726#comment-13257726 ]
Sven Meier commented on WICKET-4505:
------------------------------------
I've just tested with the project from 3330 and everything worked as expected: wicket-1.5.x, jetty, linux, firefox and chrome.
my½companyname stays my½companyname after a submit.
What container are you using?
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258272#comment-13258272 ]
Jean-Philippe Boudreault commented on WICKET-4505:
--------------------------------------------------
I just tested with head and the problem still happens. I am using an english (canada) locale if it does matter.
Could anyone on windows confirm the behavior?
Thanks!
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Philippe Boudreault updated WICKET-4505:
---------------------------------------------
Description:
User input is not escaped in all text fields by default (and the default is not configurable).
This leads to user entered text not being redisplayed correctly.
* You can replicate using the project from WICKET-3330.
* Just enter the text my½companyname and press enter
* The field will not redisplay the text entered properly
was:
User input is not escaped in all text fields by default
This leads to user entered text not being redisplayed correctly and it also makes those text fields vulnerable to XSS.
* You can replicate using the project from WICKET-3330.
* Just enter the text my½companyname and press enter
* The field will not redisplay the text entered properly
edit : I did more testing with XSS and I was not able to exploit it. Therefore I updated the description.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13260656#comment-13260656 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
I've attached a brand new quickstart project based on version 1.5.5. You should be able to reproduce the problem running the project via mvn jetty:run
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrea Del Bene updated WICKET-4505:
------------------------------------
Attachment: EscapeHtmlChars.zip
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Philippe Boudreault updated WICKET-4505:
---------------------------------------------
Attachment: screenshot-1.jpg
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default
> This leads to user entered text not being redisplayed correctly and it also makes those text fields vulnerable to XSS.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13260458#comment-13260458 ]
Jean-Philippe Boudreault commented on WICKET-4505:
--------------------------------------------------
What kind of problem are you having with the 3330 project? I just imported it in IntelliJ replaced wicket.version and jetty.version in the pom.xml and ran it trough the IDE without any problem.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sven Meier reassigned WICKET-4505:
----------------------------------
Assignee: Sven Meier
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Assignee: Sven Meier
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Jean-Philippe Boudreault (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257988#comment-13257988 ]
Jean-Philippe Boudreault commented on WICKET-4505:
--------------------------------------------------
I am running the project from intelliJ on a windows 7 machine. The problem happens in chrome and in IE.
Here is my maven config :
<properties>
<wicket.version>1.5.5</wicket.version>
<jetty.version>6.1.25</jetty.version>
</properties>
Thanks!
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Sven Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13261036#comment-13261036 ]
Sven Meier commented on WICKET-4505:
------------------------------------
Thanks Andrea, I can confirm the problem with the new quickstart.
It seems the fix for WICKET-3608 broke this one, see commit e9389ebdaf5b1eeb79a5ed3624eeaa529d322cf0 .
The following line in TagAttributes doesn't make sense to me:
public final Object putInternal(String key, Object value)
{
return super.put(key, unescapeHtml(value));
}
How can TagAttributes know where the value is coming from and whether is needs to be unescaped?
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: EscapeHtmlChars.zip, screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257481#comment-13257481 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
The input for text fields is unescaped by class TagAttributes when it is inserted inside value="" attribute. Maybe this is done for security reasons?
Anyway, I think TagAttributes should replace any occurrence of character double-quotes ("') before rendering attribute values. I would modify method 'unescapeHtml(Object value)' like this:
private static final Object unescapeHtml(Object value)
{
if (value instanceof CharSequence)
{
CharSequence unescapedMarkup = Strings.unescapeMarkup(value.toString());
return Strings.replaceAll(unescapedMarkup, "\"", "\\\"");
}
else
{
return value;
}
}
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257504#comment-13257504 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
Forget what I said about double-quotes replacing. Unescaping already convert double quotes into a safe "
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Andrea Del Bene (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258335#comment-13258335 ]
Andrea Del Bene commented on WICKET-4505:
-----------------------------------------
@Sven
The attribute I'm talking about is value="..." added by class TextField inside method onComponentTag
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4505) AbstractTextComponent not escaping
html data by default therefore user text is not redisplayed correctly
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13260463#comment-13260463 ]
Martin Grigorov commented on WICKET-4505:
-----------------------------------------
This is also what I did and it didn't reproduce the problem.
I needed to add src/test from another project to have Start.java.
> AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4505
> URL: https://issues.apache.org/jira/browse/WICKET-4505
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.5
> Reporter: Jean-Philippe Boudreault
> Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my½companyname and press enter
> * The field will not redisplay the text entered properly
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira