Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1970

unescaped html special characters create problems in pages

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Duplicate
    • Release Branch 4.0, Trunk
    • None
    • framework
    • None
    • Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel CoreDuo 1.8Gz, 2GB of RAM

    Description

      HTML specific characters (like ' & " > < /) are unescaped when rendered. This creates problems for rendering pages that interacts with javascripts. Note that this bug is the same to a previous issue regarding unescaped special characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to all sorts of HTML injection hacks. HTML and javascript codes may be set as a value to an input field. Browsers shall render these as if part of the form.

      I suggest escaping values when a page is being rendered. This will remove the hassle of data migration for the database to fix values with unescaped HTML characters.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            itabangay ian tabangay
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment