[
https://issues.apache.org/jira/browse/NIFI-327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14311528#comment-14311528
]
Matt Gilman commented on NIFI-327:
----------------------------------
Anytime untrusted data is being inserted into the DOM it needs to be escaped
due to XSS concerns [1]. Now we could discuss whether content from an extension
point should be trusted. Maybe I was being over cautious but as a rule of thumb
I opted for not trusting any content that the UI didn't generate itself.
[1]
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
> Add Processor dialog improper HTML encoding of processor descriptions
> ---------------------------------------------------------------------
>
> Key: NIFI-327
> URL: https://issues.apache.org/jira/browse/NIFI-327
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 0.0.1, 0.0.2
> Environment: OS X in Safari
> CentOS 7 in Firefox
> Reporter: Aldrin Piri
> Priority: Minor
> Attachments: html-encoding.png
>
>
> Will attach screenshot.
> When adding a processor via 'Add Processor' Description for a processor in
> the that includes symbols are being encoded when they do not need to be. One
> example is TransformXML that makes use of apostrophes which are encoded into
> their HTML equivalent, '''
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
