You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@continuum.apache.org by "Reimer Prochnow (JIRA)" <ji...@codehaus.org> on 2008/11/19 10:05:41 UTC

[jira] Created: (CONTINUUM-1983) unescaped HTML in SCM Changes summary

unescaped HTML in SCM Changes summary
-------------------------------------

                 Key: CONTINUUM-1983
                 URL: http://jira.codehaus.org/browse/CONTINUUM-1983
             Project: Continuum
          Issue Type: Bug
          Components: Web - UI
    Affects Versions: 1.1
         Environment: Linux
            Reporter: Reimer Prochnow
            Priority: Minor


If you write HTML in scm commit comments, this HTML is shown in the SCM changes summary section on the build result page.
It should be escaped for security issues.

The page involved is:
continuum-webapp\src\main\webapp\WEB-INF\jsp\buildresult.jsp, Line 61

<ec:column property="comment" title="buildResult.changes.comment" />

But the columns are rendered by extremecomponents taglib.
This should be able to escape HTML by configuration, unfortunately i do not find any documentation on this taglib

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (CONTINUUM-1983) unescaped HTML in SCM Changes summary

Posted by "Reimer Prochnow (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/CONTINUUM-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=181069#action_181069 ] 

Reimer Prochnow commented on CONTINUUM-1983:
--------------------------------------------

still present in beta 1.3.3 (build # 778084)

> unescaped HTML in SCM Changes summary
> -------------------------------------
>
>                 Key: CONTINUUM-1983
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1983
>             Project: Continuum
>          Issue Type: Bug
>          Components: Web - UI
>    Affects Versions: 1.1
>         Environment: Linux
>            Reporter: Reimer Prochnow
>            Priority: Minor
>
> If you write HTML in scm commit comments, this HTML is shown in the SCM changes summary section on the build result page.
> It should be escaped for security issues.
> The page involved is:
> continuum-webapp\src\main\webapp\WEB-INF\jsp\buildresult.jsp, Line 61
> <ec:column property="comment" title="buildResult.changes.comment" />
> But the columns are rendered by extremecomponents taglib.
> This should be able to escape HTML by configuration, unfortunately i do not find any documentation on this taglib

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (CONTINUUM-1983) unescaped HTML in SCM Changes summary

Posted by "Wendy Smoak (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/CONTINUUM-1983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wendy Smoak updated CONTINUUM-1983:
-----------------------------------

    Affects Version/s: 1.3.3
        Fix Version/s: Reviewed

> unescaped HTML in SCM Changes summary
> -------------------------------------
>
>                 Key: CONTINUUM-1983
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1983
>             Project: Continuum
>          Issue Type: Bug
>          Components: Web - UI
>    Affects Versions: 1.1, 1.3.3
>         Environment: Linux
>            Reporter: Reimer Prochnow
>            Priority: Minor
>             Fix For: Reviewed
>
>
> If you write HTML in scm commit comments, this HTML is shown in the SCM changes summary section on the build result page.
> It should be escaped for security issues.
> The page involved is:
> continuum-webapp\src\main\webapp\WEB-INF\jsp\buildresult.jsp, Line 61
> <ec:column property="comment" title="buildResult.changes.comment" />
> But the columns are rendered by extremecomponents taglib.
> This should be able to escape HTML by configuration, unfortunately i do not find any documentation on this taglib

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira