[
https://issues.apache.org/jira/browse/OFBIZ-10356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446622#comment-16446622
]
Swapnil M Mane edited comment on OFBIZ-10356 at 4/21/18 4:09 AM:
-----------------------------------------------------------------
Thanks [~rmallah] for reporting this issue.
Hi team,
Special character in the product name is shown due to HTML escaping in the code.
ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}"
size="30" maxlength="60"/>
{code}
This change was intentional, done by [~jacques.le.roux] many years ago at
[r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E]
to fix an issue.
I guess this change was done to protect from Script Injection Attacks.
IMO, trusted authorized users have permission to change the product attributes
(here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}"
size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this
code, thank you!
was (Author: swapnilmmane):
Thanks [~rmallah] for reporting this issue.
Hi team,
Special character in the product name is shown due to HTML escaping in the code.
ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}"
size="30" maxlength="60"/>
{code}
This change was intentional, done by Jacques many years ago at
[r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E]
to fix an issue.
I guess this change was done to protect from Script Injection Attacks.
IMO, trusted authorized users have permission to change the product attributes
(here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}"
size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this
code, thank you!
> display of entities in text input field
> ---------------------------------------
>
> Key: OFBIZ-10356
> URL: https://issues.apache.org/jira/browse/OFBIZ-10356
> Project: OFBiz
> Issue Type: Improvement
> Components: product
> Reporter: Rajesh Kumar Mallah
> Assignee: Swapnil M Mane
> Priority: Minor
>
>
> In the url:
> [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1006-1]
>
> the "Product Name" under "Override Simple Fields" is unnecessarily
> expressed in entity format . The string displayed in product name
> field is: "Open Gizmo (LGPL)" it could have been a
> simple "Open Gizmo (LGPL)"
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
