You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Bruno Peeters (JIRA)" <ji...@apache.org> on 2009/02/02 16:29:59 UTC

[jira] Created: (JSPWIKI-485) & in notes for page history

& in notes for page history
---------------------------

                 Key: JSPWIKI-485
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
             Project: JSPWiki
          Issue Type: Bug
    Affects Versions: 2.8.1
            Reporter: Bruno Peeters
            Priority: Minor


In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.

We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (JSPWIKI-485) & in notes for page history

Posted by "Harry Metske (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Harry Metske closed JSPWIKI-485.
--------------------------------

    Resolution: Duplicate

This is a dup of JSPWIKI-633 and has been fixed in 2.8.4-svn-8

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>         Attachments: test-amp-info.jpg, test-amp-page.jpg
>
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JSPWIKI-485) & in notes for page history

Posted by "Bruno Peeters (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bruno Peeters updated JSPWIKI-485:
----------------------------------

    Attachment: test-amp-page.jpg

test page with special characters in title and body of page

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>         Attachments: test-amp-info.jpg, test-amp-page.jpg
>
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JSPWIKI-485) & in notes for page history

Posted by "Bruno Peeters (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bruno Peeters updated JSPWIKI-485:
----------------------------------

    Attachment: test-amp-info.jpg

info page for test page, with special characters in change notes

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>         Attachments: test-amp-info.jpg, test-amp-page.jpg
>
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-485) & in notes for page history

Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669685#action_12669685 ] 

Janne Jalkanen commented on JSPWIKI-485:
----------------------------------------

There is a double-replace somewhere.  It is a bug.

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-485) & in notes for page history

Posted by "Harry Metske (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12669659#action_12669659 ] 

Harry Metske commented on JSPWIKI-485:
--------------------------------------

The notes in the history were vulnerable to XSS (see JSPWIKI-319), this was solved by replacing characters with TextUtil.replaceEntities()
To be honest I don't know if pageNames are also vulnerable to XSS....

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JSPWIKI-485) & in notes for page history

Posted by "Harry Metske (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JSPWIKI-485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12670037#action_12670037 ] 

Harry Metske commented on JSPWIKI-485:
--------------------------------------

Can you explain a bit more, we use TextUtil.replaceEntities to replace suspicious characters :

||Char ||Entity Code
|<|{noformat} &lt;{noformat} 
|>|{noformat} &gt;{noformat} 
|&|{noformat} &amp;{noformat} 

I tested this :
||Input ||Result
|{noformat}Nice&Easy  groterdan>  kleinerdan< {noformat} |{noformat} Nice&amp;Easy groterdan&gt; kleinerdan&lt; {noformat} 

What is wrong here ?

> & in notes for page history
> ---------------------------
>
>                 Key: JSPWIKI-485
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-485
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
>
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles were automatically converted to amp, which lead to unwanted page titles. We are pleased to notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to be replaced by &amp. Other characters such as < > and quotes are also replaced.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.