You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Harry Metske (JIRA)" <ji...@apache.org> on 2013/01/15 18:38:12 UTC
[jira] [Commented] (JSPWIKI-712) Entities in ChangeNote should be
decoded when "keep editing"
[ https://issues.apache.org/jira/browse/JSPWIKI-712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13554036#comment-13554036 ]
Harry Metske commented on JSPWIKI-712:
--------------------------------------
proposed patch is wrong, it reintroduces an xss vulnerability (see JSPWIKI-319), the replaceEntities() should not be removed, but be done somewhere else, preferably just before saving the page.
> Entities in ChangeNote should be decoded when "keep editing"
> ------------------------------------------------------------
>
> Key: JSPWIKI-712
> URL: https://issues.apache.org/jira/browse/JSPWIKI-712
> Project: JSPWiki
> Issue Type: Bug
> Components: Default template
> Affects Versions: 2.8.4, 2.9
> Environment: Windows XP, Tomcat 7.0
> Reporter: Vigneshwaran Raveendran
> Assignee: brushed
> Priority: Minor
> Labels: fix, javascript
> Attachments: JSPWIKI-712.patch
>
>
> Steps to reproduce the bug:-
> 1. Go here: http://doc.jspwiki.org/2.4/Edit.jsp?page=WindowsInstall
> 2. Type in changenote: Testing "quotes" & ampersand
> 3. Click preview
> 4. Click Keep Editing
> 5. The changenote looks like this: Testing &quot;quotes&quot; &amp; ampersand
> Now the user has to remove it and type (Testing "quotes" & ampersand) again before saving. If the user didn't notice it, then the comment will be saved as "Testing &quot;quotes&quot; &amp; ampersand" in the history.
> =================================================
> I know that entities need to be encoded for security reasons but this is a Bug.
> When "keep editing" button is clicked, the comment should appear in decoded format. For that, there should be a javascript that execute "after" the page is loaded. No need to change any of the TextUtil.replaceEntities() methods.
> =================================================
> This is how I fixed it in my pc:
> 1. Added the following script to commonheader.jsp (or prettify.js)
> <script type="text/javascript">
> function decodeChangeNote() {
> document.getElementById("changenote").value =
> document.getElementById("changenote").value
> .replace(/&amp;/g,"&")
> .replace(/&lt;/g,"<")
> .replace(/&gt;/g,">")
> .replace(/&quot;/g,"\"");
> }
> </script>
> 2. Changed <body> tag in EditTemplate.jsp to call this js function on load.
> <body onload="decodeChangeNote()">
> ====================================================
> Now JSPWiki works fine for me. Polish this fix if needed and commit it. Please correct me if I'm wrong.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira