You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "David Gao (JIRA)" <ji...@apache.org> on 2008/02/22 09:54:19 UTC
[jira] Created: (JSPWIKI-197) Html Tags in resource bundles were
escaped unexpectedly
Html Tags in resource bundles were escaped unexpectedly
--------------------------------------------------------
Key: JSPWIKI-197
URL: https://issues.apache.org/jira/browse/JSPWIKI-197
Project: JSPWiki
Issue Type: Bug
Components: Core & storage
Affects Versions: 2.6.0
Reporter: David Gao
*Description*
The HTML tags in resource bundles (*.properties) do not work in final jsp output pages. The tags in output pages are shown literally. They ought to function as what normal HTML tags do.
*Root Reason*
*com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces all incoming HTML entities. The _TextUtil.replaceEntities()_ should not be used here.
*Solution*
Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.
*Expected Result*
The HTML tags in resource bundles (*.properties) should work normally in jsp output pages. For example, the tag "<br/>" in messages will produce a line break instead of show the tag literally.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (JSPWIKI-197) Html Tags in resource bundles were
escaped unexpectedly
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Harry Metske closed JSPWIKI-197.
--------------------------------
Resolution: Won't Fix
Yup, revision 626797 introduced the TextUtil.replaceEntities() because of an XSS vulnerability
> Html Tags in resource bundles were escaped unexpectedly
> --------------------------------------------------------
>
> Key: JSPWIKI-197
> URL: https://issues.apache.org/jira/browse/JSPWIKI-197
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.6.0
> Reporter: David Gao
>
> *Description*
> The HTML tags in resource bundles (*.properties) do not work in final jsp output pages. The tags in output pages are shown literally. They ought to function as what normal HTML tags do.
> *Root Reason*
> *com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces all incoming HTML entities. The _TextUtil.replaceEntities()_ should not be used here.
> *Solution*
> Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.
> *Expected Result*
> The HTML tags in resource bundles (*.properties) should work normally in jsp output pages. For example, the tag "<br/>" in messages will produce a line break instead of show the tag literally.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.