[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Mikaël Geljić updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Mikaël Geljić Sprint: Saigon 33 34 Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Oanh Thai Hoang updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Oanh Thai Hoang Original Estimate: 5d Remaining Estimate: 5d Account: Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Oanh Thai Hoang updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Oanh Thai Hoang Assignee: Oanh Thai Hoang Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Mikaël Geljić updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Mikaël Geljić Fix Version/s: 2.3.5 Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Mikaël Geljić updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Mikaël Geljić Story Points: 8 Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Michael Mühlebach updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Michael Mühlebach Sprint: Saigon 33 Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Ilgun Ilgun updated an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Change By: Ilgun Ilgun {{DefaultFormDataBinder}} uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded.You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field.I had to release, so i fixed this by overriding method {{ senMail sendMail }} in both {{SendContactEMailProcessor}} and {{SendConfirmationEMailProcessor}} with the following code.{code}if ("text".equals(contentType)) { for (final String key : parameters.keySet()) { final Object value = parameters.get(key); if (value instanceof String) { parameters.put(key, EscapeUtil.unescapeXss((String) value)); } }}super.sendMail(body, from, subject, to, contentType, parameters);{code}At least the code snippet could be put in {{AbstractEMailFormProcessor}}, unless there's a better way to do so. Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to:
[magnolia-dev] [JIRA] (MGNLFORM-278) XSS escaping breaks plain text email readability
Title: Message Title Vincent Gombert created an issue Magnolia Form Module / MGNLFORM-278 XSS escaping breaks plain text email readability Issue Type: Bug Affects Versions: 2.3.2 Assignee: Unassigned Created: 12/Jan/16 5:02 PM Priority: Neutral Reporter: Vincent Gombert Security Level: Public DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded. You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field. I had to release, so i fixed this by overriding method senMail in both SendContactEMailProcessor and SendConfirmationEMailProcessor with the following code. if ("text".equals(contentType)) { for (final String key : parameters.keySet()) { final Object value = parameters.get(key); if (value instanceof String) { parameters.put(key, EscapeUtil.unescapeXss((String) value)); } } } super.sendMail(body, from, subject, to, contentType, parameters); At least the code