OFBiz
  1. OFBiz
  2. OFBIZ-1970

unescaped html special characters create problems in pages

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Affects Version/s: Release Branch 4.0, SVN trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None
    • Environment:

      Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM

      Description

      HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.

      I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.

        Issue Links

          Activity

          Hide
          Jacques Le Roux added a comment -

          There are already a lot of issues open about thid subject

          Show
          Jacques Le Roux added a comment - There are already a lot of issues open about thid subject

            People

            • Assignee:
              Unassigned
              Reporter:
              ian tabangay
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development