[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-03-07 Thread on behalf of Mikaël Geljić 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Mikaël Geljić updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Mikaël Geljić 
 
 
 

Sprint:
 
 Saigon  33  34 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-29 Thread JIRA (on behalf of Oanh Thai Hoang) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Oanh Thai Hoang updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Oanh Thai Hoang 
 
 
 

Original Estimate:
 
 5d 
 
 
 

Remaining Estimate:
 
 5d 
 
 
 

Account:
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-29 Thread JIRA (on behalf of Oanh Thai Hoang) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Oanh Thai Hoang updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Oanh Thai Hoang 
 
 
 

Assignee:
 
 Oanh Thai Hoang 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-29 Thread on behalf of Mikaël Geljić 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Mikaël Geljić updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Mikaël Geljić 
 
 
 

Fix Version/s:
 
 2.3.5 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-29 Thread on behalf of Mikaël Geljić 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Mikaël Geljić updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Mikaël Geljić 
 
 
 

Story Points:
 
 8 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-25 Thread on behalf of Michael Mühlebach 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Michael Mühlebach updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Michael Mühlebach 
 
 
 

Sprint:
 
 Saigon 33 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-02-24 Thread JIRA (on behalf of Ilgun Ilgun) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Ilgun Ilgun updated an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Change By:
 
 Ilgun Ilgun 
 
 
 
 
 
 
 
 
 
 {{DefaultFormDataBinder}} uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded.You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field.I had to release, so i fixed this by overriding method {{ senMail sendMail }} in both {{SendContactEMailProcessor}} and {{SendConfirmationEMailProcessor}} with the following code.{code}if ("text".equals(contentType)) { for (final String key : parameters.keySet()) { final Object value = parameters.get(key); if (value instanceof String) { parameters.put(key, EscapeUtil.unescapeXss((String) value)); } }}super.sendMail(body, from, subject, to, contentType, parameters);{code}At least the code snippet could be put in {{AbstractEMailFormProcessor}}, unless there's a better way to do so. 
 
 
 
 
 
 
 
 
 
 
 
 

 
 Add Comment 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 
 
 

 This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) 
 
 
 
 
  
 
 
 
 
 
 
 
 
   




For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: 

[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability

2016-01-12 Thread JIRA (on behalf of Vincent Gombert) 
Title: Message Title
 
 
 
 
 
 
 
 
 
 
  
 
 Vincent Gombert created an issue 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
 
 
 
 Magnolia Form Module /  MGNLFORM-278 
 
 
 
  XSS escaping breaks plain text email readability  
 
 
 
 
 
 
 
 
 

Issue Type:
 
  Bug 
 
 
 

Affects Versions:
 

 2.3.2 
 
 
 

Assignee:
 

 Unassigned 
 
 
 

Created:
 

 12/Jan/16 5:02 PM 
 
 
 

Priority:
 
  Neutral 
 
 
 

Reporter:
 
 Vincent Gombert 
 
 
 

Security Level:
 

 Public 
 
 
 
 
 
 
 
 
 
 
DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded. You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field. I had to release, so i fixed this by overriding method senMail in both SendContactEMailProcessor and SendConfirmationEMailProcessor with the following code. 

 

if ("text".equals(contentType)) {
	for (final String key : parameters.keySet()) {
		final Object value = parameters.get(key);
		if (value instanceof String) {
			parameters.put(key, EscapeUtil.unescapeXss((String) value));
		}
	}
}
super.sendMail(body, from, subject, to, contentType, parameters);
 

 
At least the code