unescaped html special characters create problems in pages
----------------------------------------------------------
Key: OFBIZ-1970
URL: https://issues.apache.org/jira/browse/OFBIZ-1970
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk, Release Branch 4.0
Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on Intel
CoreDuo 1.8Gz, 2GB of RAM
Reporter: ian tabangay
Priority: Minor
HTML specific characters (like ' & " > < /) are unescaped when rendered. This
creates problems for rendering pages that interacts with javascripts. Note that
this bug is the same to a previous issue regarding unescaped special characters
(see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug also prone to
all sorts of HTML injection hacks. HTML and javascript codes may be set as a
value to an input field. Browsers shall render these as if part of the form.
I suggest escaping values when a page is being rendered. This will remove the
hassle of data migration for the database to fix values with unescaped HTML
characters.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
