Hi Greg, that was done by Dave as part of this commit last August 13th:
http://svn.apache.org/viewvc?view=revision&revision=1510000, which *may*
have been part of the XSS security release Dave did the following
November: http://rollerweblogger.org/project/entry/apache_roller_5_0_2.
It may have been a copy and paste error, checking in feeds.vm in the
above commit he does a escapeHTML(removeHTML) but in the other an
escapeHTML(escapeHTML). One of the three files, SearchResultsModel()
had no real changes, just the formatting was rearranged.
I would say we don't need to allow searching on punctuation characters
(does Google even?) but if Dave doesn't respond and removing one of the
escapeHTML calls fixes things without breaking more important stuff,
perhaps good to go ahead with the change. Certainly, if it needs to be
reapplied, next time we can put in a comment saying why the consecutive
escapeHTML() calls are necessary.
Regards,
Glen
On 08/14/2014 04:03 AM, Greg Huber wrote:
Glen,
When I do a search containing and ampersand, roller does not show correctly
the returned text.
eg
b&z
actually returns :b&z
which renders as b&z
It should return b&z with no second ampersand for it to render
correctly.
Checking the method getTerm() it does a double escape, where the
StringEscapeUtils.escapeXml(..) adds the extra amp; causing it not to show
correctly :
SearchResultsModel():
public String getTerm() {
String query = searchRequest.getQuery();
return (query == null)
? "" : StringEscapeUtils.escapeXml(Utilities.escapeHTML(query));
}
Do we need the double escape? For XSS? StringEscapeUtils.escapeXml() or
how do we make it render correctly?
Cheers Greg.
