Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1970

unescaped html special characters create problems in pages

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Duplicate
    • Release Branch 4.0, Trunk
    • None
    • framework
    • None

    • Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM

    Description

      HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.

      I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.

      Attachments

        Issue Links

          is part of

          Improvement - An improvement or enhancement to an existing feature or task. OFBIZ-1525 Issue to group security concerns

          • Critical - Crashes, loss of data, severe memory leak.
          • Open

          Activity

            People

              Unassigned Unassigned
              itabangay ian tabangay
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: