[
https://jira.nuxeo.com/browse/NXP-6577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anahide Tchertchian resolved NXP-6577.
--------------------------------------
Resolution: Fixed
Done by adding an automatic styling of the text (note that it does not work
properly when using ajax refresh):
http://hg.nuxeo.org/nuxeo/nuxeo-jsf/rev/c26d0e545ea0
http://hg.nuxeo.org/addons/nuxeo-platform-forms-layout-demo/rev/e73aedba94fd
> Prevent cross site scripting when using textarea widgets
> --------------------------------------------------------
>
> Key: NXP-6577
> URL: https://jira.nuxeo.com/browse/NXP-6577
> Project: Nuxeo Enterprise Platform
> Issue Type: Bug
> Affects Versions: 5.4.1
> Reporter: Anahide Tchertchian
> Assignee: Anahide Tchertchian
> Fix For: 5.4.2
>
>
> Textarea widgets currently change end of line characters into <br /> tags and
> is rendered in view mode without escaping (see NXP-6015: was added to keep
> end of line characters in description).
> This is a secxurity hole for cross side scripting (non escaping in view mode)
> => need to find a better solution to render it and keep line breaks
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
ECM-tickets mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm-tickets
