You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Harry Metske (JIRA)" <ji...@apache.org> on 2009/02/02 18:08:00 UTC
[jira] Commented: (JSPWIKI-485) & in notes for page history
[ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669659#action_12669659 ]
Harry Metske commented on JSPWIKI-485:
--------------------------------------
The notes in the history were vulnerable to XSS (see JSPWIKI-319), this was solved by replacing characters with TextUtil.replaceEntities()
To be honest I don't know if pageNames are also vulnerable to XSS....
> & in notes for page history
> ---------------------------
>
> Key: JSPWIKI-485
> URL: https://issues.apache.org/jira/browse/JSPWIKI-485
> Project: JSPWiki
> Issue Type: Bug
> Affects Versions: 2.8.1
> Reporter: Bruno Peeters
> Priority: Minor
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &. Other characters such as < > and quotes are also replaced.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.