You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Harry Metske (JIRA)" <ji...@apache.org> on 2009/02/02 18:08:00 UTC

[jira] Commented: (JSPWIKI-485) & in notes for page history

    [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669659#action_12669659 ] 

Harry Metske commented on JSPWIKI-485:
--------------------------------------

The notes in the history were vulnerable to XSS (see JSPWIKI-319), this was solved by replacing characters with TextUtil.replaceEntities()
To be honest I don't know if pageNames are also vulnerable to XSS....

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.