You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "brushed (JIRA)" <ji...@apache.org> on 2013/01/20 15:26:12 UTC
[jira] [Reopened] (JSPWIKI-712) Entities in ChangeNote should be
decoded when "keep editing"
[ https://issues.apache.org/jira/browse/JSPWIKI-712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
brushed reopened JSPWIKI-712:
-----------------------------
JSPWIKI-742
The current fix solves the issue only partly.
Note that this issue also occurs on the 'author' and 'link' fields.
The issue is caused by multiple invocations of TextUtil.replaceEntities();
once in the top-level Edit.jsp; once in the template plan.jsp and once more in the template preview.jsp.
This is because <c:out> (used in the template jsp's) by default converts the HTML special characters to their corresponding character entity codes.
Current code:
Edit:jsp / Comment.jsp
{code}String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" ) );
{code}
plain.jsp
{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80" value="<c:out value='${changenote}'/>"/></td>
{code}
preview.jsp
{code} <input type="hidden" name="author" value="<c:out value='${author}' />" />
<input type="hidden" name="link" value="<c:out value='${link}' />" />
<input type="hidden" name="remember" value="<c:out value='${remember}' />" />
<input type="hidden" name="changenote" value="<c:out value='${changenote}' />" />
{code}
I'd prefer that the fix would done on the template jsp's, keeping the top-level jsp's unchanged.
The top-level JSP's ensure that content which need to be escaped is properly formatted. The template jsp merely display that content.
This way, also the top-level Comment.jsp don't need to be changed.
Proposed fixes:
preview.jsp:
{code} <input type="hidden" name="author" value="${author}" />
<input type="hidden" name="link" value="${link}" />
<input type="hidden" name="remember" value="${remember}" />
<input type="hidden" name="changenote" value="${changenote}" />
{code}
plain.jsp:
replace
{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80" value="<c:out value='${changenote}'/>"/></td>
{code}
by
{code}
<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80" value="${changenote}"/></td>
{code}
replace
{code}<input type="text" name="author" id="authorname" value="<c:out value='${sessionScope.author}' />" />
{code}
by
{code}<input type="text" name="author" id="authorname" value="${author}" />
{code}
replace
{code}<input type="text" name="link" id="link" size="24" value="<c:out value='${sessionScope.link}' />" />
{code}
by
{code}<input type="text" name="link" id="link" size="24" value="${link}" />
{code}
> Entities in ChangeNote should be decoded when "keep editing"
> ------------------------------------------------------------
>
> Key: JSPWIKI-712
> URL: https://issues.apache.org/jira/browse/JSPWIKI-712
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.8.4, 2.9
> Environment: Windows XP, Tomcat 7.0
> Reporter: Vigneshwaran Raveendran
> Assignee: brushed
> Priority: Minor
> Labels: fix, javascript
> Fix For: 2.9.1
>
> Attachments: JSPWIKI-712.patch
>
>
> Steps to reproduce the bug:-
> 1. Go here: http://doc.jspwiki.org/2.4/Edit.jsp?page=WindowsInstall
> 2. Type in changenote: Testing "quotes" & ampersand
> 3. Click preview
> 4. Click Keep Editing
> 5. The changenote looks like this: Testing &quot;quotes&quot; &amp; ampersand
> Now the user has to remove it and type (Testing "quotes" & ampersand) again before saving. If the user didn't notice it, then the comment will be saved as "Testing &quot;quotes&quot; &amp; ampersand" in the history.
> =================================================
> I know that entities need to be encoded for security reasons but this is a Bug.
> When "keep editing" button is clicked, the comment should appear in decoded format. For that, there should be a javascript that execute "after" the page is loaded. No need to change any of the TextUtil.replaceEntities() methods.
> =================================================
> This is how I fixed it in my pc:
> 1. Added the following script to commonheader.jsp (or prettify.js)
> <script type="text/javascript">
> function decodeChangeNote() {
> document.getElementById("changenote").value =
> document.getElementById("changenote").value
> .replace(/&amp;/g,"&")
> .replace(/&lt;/g,"<")
> .replace(/&gt;/g,">")
> .replace(/&quot;/g,"\"");
> }
> </script>
> 2. Changed <body> tag in EditTemplate.jsp to call this js function on load.
> <body onload="decodeChangeNote()">
> ====================================================
> Now JSPWiki works fine for me. Polish this fix if needed and commit it. Please correct me if I'm wrong.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira