Does this encoding work properly when sent in javascript attributes as
well? I recently noticed that following type of calls do not work as
expected if the value *question *contains a single quote.
<a onclick="editQuestion('{{question}}')">
On Tue, Jan 31, 2017 at 11:04 PM, Manuranga Perera <[email protected]> wrote:
> UUF automatically escaping sensitive characters [1]. Please don't use
> 'encoding' for 'escaping'.
>
> [1] https://github.com/jknack/handlebars.java/blob/
> 1f6c48e606dc1303d1e92a0a0eaa94120eba64fd/handlebars/src/
> main/java/com/github/jknack/handlebars/EscapingStrategy.java#L82
>
> On Tue, Jan 31, 2017 at 5:23 PM, Jayanga Kaushalya <[email protected]>
> wrote:
>
>> Hi Manuranga,
>>
>> This is not because of a security reason. The security question set id
>> may contains html special characters. So the set id is sent to the UI after
>> encoding to Base64.
>>
>> Thanks!
>>
>> *Jayanga Kaushalya*
>> Software Engineer
>> Mobile: +94777860160 <+94%2077%20786%200160>
>> WSO2 Inc. | http://wso2.com
>> lean.enterprise.middleware
>>
>> On Tue, Jan 31, 2017 at 10:42 PM, Manuranga Perera <[email protected]> wrote:
>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Manuranga Perera <[email protected]>
>>> Date: Tue, Jan 31, 2017 at 5:11 PM
>>> Subject: Security questions are encoded
>>> To: Johann Nallathamby <[email protected]>, Jayanga Kaushalya <
>>> [email protected]>, Isura Karunaratne <[email protected]>
>>>
>>>
>>> Security questions are base64 encoded [1]. If they are encrypted (eg:
>>> RSA) or hashed (eg SHA) I can understand that it's for security reasons.
>>> All this does is obfuscation, poorly even at that, since base64 can be
>>> easily decoded.
>>>
>>> Or is it done for non-security reasons, like escaping special characters?
>>>
>>> [1] https://github.com/wso2/product-is/blob/6.0.x-C5_m3/portal/o
>>> sgi-services/org.wso2.is.portal.user.client.api/src/main/jav
>>> a/org/wso2/is/portal/user/client/api/ChallengeQuestionManage
>>> rClientServiceImpl.java#L113
>>>
>>> --
>>> With regards,
>>> *Manu*ranga Perera.
>>>
>>> phone : 071 7 70 20 50
>>> mail : [email protected]
>>>
>>>
>>>
>>> --
>>> With regards,
>>> *Manu*ranga Perera.
>>>
>>> phone : 071 7 70 20 50
>>> mail : [email protected]
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> [email protected]
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>
>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : [email protected]
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Best Regards,
Nuwandi Wickramasinghe
Software Engineer
WSO2 Inc.
Web : http://wso2.com
Mobile : 0719214873
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
