Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1970

unescaped html special characters create problems in pages

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: Release Branch 4.0, Trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None
    • Environment:

      Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM

      Description

      HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.

      I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                itabangay ian tabangay
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: