You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "David Gao (JIRA)" <ji...@apache.org> on 2008/02/22 09:54:19 UTC

[jira] Created: (JSPWIKI-197) Html Tags in resource bundles were escaped unexpectedly

Html Tags in resource bundles were escaped unexpectedly 
--------------------------------------------------------

                 Key: JSPWIKI-197
                 URL: https://issues.apache.org/jira/browse/JSPWIKI-197
             Project: JSPWiki
          Issue Type: Bug
          Components: Core & storage
    Affects Versions: 2.6.0
            Reporter: David Gao


*Description*
The HTML tags in resource bundles (*.properties) do not work in final jsp output pages. The tags in output pages are shown literally. They ought to function as what normal HTML tags do.

*Root Reason*
*com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces all incoming HTML entities. The _TextUtil.replaceEntities()_ should not be used here.

*Solution*
Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.

*Expected Result*
The HTML tags in resource bundles (*.properties) should work normally in jsp output pages. For example, the tag "<br/>" in messages will produce a line break instead of show the tag literally.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (JSPWIKI-197) Html Tags in resource bundles were escaped unexpectedly

Posted by "Harry Metske (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JSPWIKI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Harry Metske closed JSPWIKI-197.
--------------------------------

    Resolution: Won't Fix

Yup, revision 626797 introduced the TextUtil.replaceEntities() because of an XSS vulnerability

> Html Tags in resource bundles were escaped unexpectedly 
> --------------------------------------------------------
>
>                 Key: JSPWIKI-197
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-197
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Core & storage
>    Affects Versions: 2.6.0
>            Reporter: David Gao
>
> *Description*
> The HTML tags in resource bundles (*.properties) do not work in final jsp output pages. The tags in output pages are shown literally. They ought to function as what normal HTML tags do.
> *Root Reason*
> *com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces all incoming HTML entities. The _TextUtil.replaceEntities()_ should not be used here.
> *Solution*
> Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.
> *Expected Result*
> The HTML tags in resource bundles (*.properties) should work normally in jsp output pages. For example, the tag "<br/>" in messages will produce a line break instead of show the tag literally.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.