buildbot failure in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a new failure on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2117 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 4bab66e5016c1dd758127bb9d5b5a4e136d03773 Blamelist: Jacques Le Roux BUILD FAILED: failed check testIntegration Sincerely, -The Buildbot
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 725c8543e0df45c011a0c645b0a57ce9a42fa61d
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:51:34 2021 +0200
Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254)
If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be
vulnerable
to XSS attack, because of incomplete escaping.
Steps to reproduce:
1. Turn off `sanitizer.enable` in owasp.properties
2. Create a WorkEffort entity with name as `alert(1)`
3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort
4. Search for "Work Effort Name" which contains "script"
Thanks: Xin Wang
---
themes/common/template/macro/HtmlFormMacroLibrary.ftl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/themes/common/template/macro/HtmlFormMacroLibrary.ftl
b/themes/common/template/macro/HtmlFormMacroLibrary.ftl
index df6bce7..48bbc7d 100644
--- a/themes/common/template/macro/HtmlFormMacroLibrary.ftl
+++ b/themes/common/template/macro/HtmlFormMacroLibrary.ftl
@@ -816,7 +816,7 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
data-dialog-url="${linkUrl}"
<#if text?has_content>data-dialog-title="${text}"
<#if linkStyle?has_content>class="${linkStyle}">
-<#if description?has_content>${description}
+<#if description?has_content>${description?html}
<#else>
class="${linkStyle}"
href="${linkUrl}"<#if targetWindow?has_content>
target="${targetWindow}"
@@ -824,6 +824,6 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
<#if confirmation?has_content>
data-confirm-message="${confirmation}"
<#if id?has_content> id="${id}"
<#if imgSrc?length == 0 && title?has_content> title="${title}">
- <#if imgSrc?has_content>${description}
+ <#if imgSrc?has_content>${description?html}
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit a99cbb53782cc5fd209184a2ef1031d150c43e0d
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:51:34 2021 +0200
Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254)
If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be
vulnerable
to XSS attack, because of incomplete escaping.
Steps to reproduce:
1. Turn off `sanitizer.enable` in owasp.properties
2. Create a WorkEffort entity with name as `alert(1)`
3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort
4. Search for "Work Effort Name" which contains "script"
Thanks: Xin Wang
---
themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
index 22a912e..0c852d6 100644
--- a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
+++ b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
@@ -743,7 +743,7 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
data-dialog-url="${linkUrl}"
<#if text?has_content>data-dialog-title="${text}"
<#if linkStyle?has_content>class="${linkStyle}">
-<#if description?has_content>${description}
+<#if description?has_content>${description?html}
<#else>
class="${linkStyle}"
href="${linkUrl}"<#if targetWindow?has_content>
target="${targetWindow}"
@@ -751,6 +751,6 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
<#if confirmation?has_content>
data-confirm-message="${confirmation}"
<#if id?has_content> id="${id}"
<#if imgSrc?length == 0 && title?has_content> title="${title}">
- <#if imgSrc?has_content>${description}
+ <#if imgSrc?has_content>${description?html}
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit bb254caddd08846e0c4e3bf6341a1e10d2321178
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:57:51 2021 +0200
Fixed: Unexpected decoding of url encoded textarea data after submission
(OFBIZ-12249)
When trying to add a note to WorkEffort entity, I found that URL encoded
characters are unescaped, which is not expected.
e.g.:
1. Go to page:
https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
2. Add a note with content: https://example.com/a%20link
3. After submission, it will turned to be: https://example.com/a link
Thanks: Xin Wang for report and exchanges until solution I provided
Conflicts:
UtilHttp.java: removes unused OOTB checkURLforSpiders for simplification
UtilValidate.java: replaces DEFAULT_EMPTY_OK simply by true
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 130 +++--
.../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++-
2 files changed, 82 insertions(+), 63 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index 666316a..56c4e35 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -62,7 +62,6 @@ import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
-import org.apache.commons.fileupload.servlet.ServletRequestContext;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
@@ -78,10 +77,6 @@ import org.apache.ofbiz.webapp.control.ConfigXMLReader;
import org.apache.ofbiz.webapp.control.SameSiteFilter;
import org.apache.ofbiz.webapp.event.FileUploadProgressListener;
import org.apache.ofbiz.widget.renderer.VisualTheme;
-import org.apache.oro.text.regex.MalformedPatternException;
-import org.apache.oro.text.regex.Pattern;
-import org.apache.oro.text.regex.PatternMatcher;
-import org.apache.oro.text.regex.Perl5Matcher;
import com.ibm.icu.util.Calendar;
@@ -405,7 +400,30 @@ public final class UtilHttp {
public static Map canonicalizeParameterMap(Map paramMap) {
for (Map.Entry paramEntry: paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
-paramEntry.setValue(canonicalizeParameter((String)
paramEntry.getValue()));
+String paramEntries = (String) paramEntry.getValue();
+String[] stringValues = paramEntries.split(" ");
+String params = "";
+// Handles textareas, see OFBIZ-12249
+if (stringValues.length > 0) {
+for (String s : stringValues) {
+// if the string contains only an URL beginning by
http or ftp => no change to keep special chars
+if (UtilValidate.isValidUrl(s) && (s.indexOf("://") ==
4 || s.indexOf("://") == 3)) {
+params = params + s + " " ;
+} else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
+// if the string contains not only an URL =>
concatenate possible canonicalized before and after, w/o changing the URL
+String url = extractUrls(s).get(0); // THere
should be only 1 URL in a block, makes no sense else
+int start = s.indexOf(url);
+String after = (String) s.subSequence(start +
url.length(), s.length());
+params = params + canonicalizeParameter((String)
s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
+} else {
+// Simple string to canonicalize
+params = params + canonicalizeParameter(s) + " ";
+}
+}
+paramEntry.setValue(params.trim());
+} else {
+paramEntry.setValue(canonicalizeParameter(paramEntries));
+}
} else if (paramEntry.getValue() instanceof Collection) {
List newList = new LinkedList<>();
for (String listEntry:
UtilGenerics.checkCollection(paramEntry.getValue())) {
@@ -1147,7 +1165,7 @@ public final class UtilHttp {
response.setHeader("Cache-Control", "no-store, no-cache,
must-revalidate, private"); // HTTP/1.1
response.setHeader("Pragma", "no-cache"); // HTTP/1.0
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 4bab66e5016c1dd758127bb9d5b5a4e136d03773
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:57:51 2021 +0200
Fixed: Unexpected decoding of url encoded textarea data after submission
(OFBIZ-12249)
When trying to add a note to WorkEffort entity, I found that URL encoded
characters are unescaped, which is not expected.
e.g.:
1. Go to page:
https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
2. Add a note with content: https://example.com/a%20link
3. After submission, it will turned to be: https://example.com/a link
Thanks: Xin Wang for report and exchanges until solution I provided
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +-
.../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++
2 files changed, 65 insertions(+), 1 deletion(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index addcca8..6f040b4 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -42,6 +42,7 @@ import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.sql.Timestamp;
import java.time.LocalDateTime;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
@@ -60,6 +61,8 @@ import java.util.StringTokenizer;
import java.util.TimeZone;
import java.util.function.Function;
import java.util.function.Predicate;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -401,7 +404,30 @@ public final class UtilHttp {
public static Map canonicalizeParameterMap(Map paramMap) {
for (Map.Entry paramEntry : paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
-paramEntry.setValue(canonicalizeParameter((String)
paramEntry.getValue()));
+String paramEntries = (String) paramEntry.getValue();
+String[] stringValues = paramEntries.split(" ");
+String params = "";
+// Handles textareas, see OFBIZ-12249
+if (stringValues.length > 0) {
+for (String s : stringValues) {
+// if the string contains only an URL beginning by
http or ftp => no change to keep special chars
+if (UtilValidate.isValidUrl(s) && (s.indexOf("://") ==
4 || s.indexOf("://") == 3)) {
+params = params + s + " " ;
+} else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
+// if the string contains not only an URL =>
concatenate possible canonicalized before and after, w/o changing the URL
+String url = extractUrls(s).get(0); // THere
should be only 1 URL in a block, makes no sense else
+int start = s.indexOf(url);
+String after = (String) s.subSequence(start +
url.length(), s.length());
+params = params + canonicalizeParameter((String)
s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
+} else {
+// Simple string to canonicalize
+params = params + canonicalizeParameter(s) + " ";
+}
+}
+paramEntry.setValue(params.trim());
+} else {
+paramEntry.setValue(canonicalizeParameter(paramEntries));
+}
} else if (paramEntry.getValue() instanceof Collection) {
List newList = new LinkedList<>();
for (String listEntry :
UtilGenerics.>cast(paramEntry.getValue())) {
@@ -1692,4 +1718,29 @@ public final class UtilHttp {
public static String getRowSubmitPrefix() {
return ROW_SUBMIT_PREFIX;
}
+
+// From
https://stackoverflow.com/questions/1806017/extracting-urls-from-a-text-document-using-java-regular-expressions/1806161#answer-1806161
+// If you need more Internet top-level domains:
https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains
+public static List extractUrls(String input) {
+List result = new ArrayList();
+
+Pattern pattern = Pattern.compile(
+"\\b(((ht|f)tp(s?)\\:\\/\\/|~\\/|\\/)|www.)" +
+"(\\w+:\\w+@)?(([-\\w]+\\.)+(com|org|net|gov" +
+"|mil|biz|info|mobi|name|aero|jobs|museum" +
+
[ofbiz-framework] branch trunk updated (fe845e6 -> 4bab66e)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from fe845e6 Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new a99cbb5 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new 4bab66e Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 53 +- .../org/apache/ofbiz/base/util/UtilValidate.java | 13 ++ .../template/macro/HtmlFormMacroLibrary.ftl| 4 +- 3 files changed, 67 insertions(+), 3 deletions(-)
[ofbiz-framework] 02/02: Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit f0ee9218736fa98176d1712f62178b7359ccd6ab
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:57:51 2021 +0200
Fixed: Unexpected decoding of url encoded textarea data after submission
(OFBIZ-12249)
When trying to add a note to WorkEffort entity, I found that URL encoded
characters are unescaped, which is not expected.
e.g.:
1. Go to page:
https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
2. Add a note with content: https://example.com/a%20link
3. After submission, it will turned to be: https://example.com/a link
Thanks: Xin Wang for report and exchanges until solution I provided
Conflicts:
UtilHttp.java:
removes unused OOTB checkURLforSpiders for simplification
removes number of cases in setResponseBrowserDefaultSecurityHeaders
not present in R17
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 122 +
.../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++-
2 files changed, 68 insertions(+), 69 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index d489375..bee720f 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -76,10 +76,6 @@ import org.apache.ofbiz.webapp.control.ConfigXMLReader;
import org.apache.ofbiz.webapp.control.SameSiteFilter;
import org.apache.ofbiz.webapp.event.FileUploadProgressListener;
import org.apache.ofbiz.widget.renderer.VisualTheme;
-import org.apache.oro.text.regex.MalformedPatternException;
-import org.apache.oro.text.regex.Pattern;
-import org.apache.oro.text.regex.PatternMatcher;
-import org.apache.oro.text.regex.Perl5Matcher;
import com.ibm.icu.util.Calendar;
@@ -403,7 +399,30 @@ public final class UtilHttp {
public static Map canonicalizeParameterMap(Map paramMap) {
for (Map.Entry paramEntry: paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
-paramEntry.setValue(canonicalizeParameter((String)
paramEntry.getValue()));
+String paramEntries = (String) paramEntry.getValue();
+String[] stringValues = paramEntries.split(" ");
+String params = "";
+// Handles textareas, see OFBIZ-12249
+if (stringValues.length > 0) {
+for (String s : stringValues) {
+// if the string contains only an URL beginning by
http or ftp => no change to keep special chars
+if (UtilValidate.isValidUrl(s) && (s.indexOf("://") ==
4 || s.indexOf("://") == 3)) {
+params = params + s + " " ;
+} else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
+// if the string contains not only an URL =>
concatenate possible canonicalized before and after, w/o changing the URL
+String url = extractUrls(s).get(0); // THere
should be only 1 URL in a block, makes no sense else
+int start = s.indexOf(url);
+String after = (String) s.subSequence(start +
url.length(), s.length());
+params = params + canonicalizeParameter((String)
s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
+} else {
+// Simple string to canonicalize
+params = params + canonicalizeParameter(s) + " ";
+}
+}
+paramEntry.setValue(params.trim());
+} else {
+paramEntry.setValue(canonicalizeParameter(paramEntries));
+}
} else if (paramEntry.getValue() instanceof Collection) {
List newList = new LinkedList<>();
for (String listEntry:
UtilGenerics.checkCollection(paramEntry.getValue())) {
@@ -1138,7 +1157,7 @@ public final class UtilHttp {
response.addHeader("Cache-Control", "post-check=0, pre-check=0,
false");
response.setHeader("Pragma", "no-cache"); // HTTP/1.0
}
-
+
public static void
setResponseBrowserDefaultSecurityHeaders(HttpServletResponse resp,
ConfigXMLReader.ViewMap viewMap) {
// See
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
for details and how to test
String xFrameOption = null;
@@ -1167,31 +1186,15 @@ public final class UtilHttp {
resp.addHeader("strict-transport-security", "max-age=31536000;
[ofbiz-framework] branch release18.12 updated (bbb25da -> bb254ca)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from bbb25da Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new 0c5fc36 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new bb254ca Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 130 +++-- .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- .../template/macro/HtmlFormMacroLibrary.ftl| 4 +- 3 files changed, 84 insertions(+), 65 deletions(-)
[ofbiz-framework] branch release17.12 updated (858cd36 -> f0ee921)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 858cd36 Fixed: Show WorkEffort names in FindWorkEffort page (OFBIZ-12253) new 725c854 Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. new f0ee921 Fixed: Unexpected decoding of url encoded textarea data after submission (OFBIZ-12249) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/ofbiz/base/util/UtilHttp.java | 122 + .../org/apache/ofbiz/base/util/UtilValidate.java | 15 ++- .../common/template/macro/HtmlFormMacroLibrary.ftl | 4 +- 3 files changed, 70 insertions(+), 71 deletions(-)
[ofbiz-framework] 01/02: Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254) If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomp
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 0c5fc36b594fe99a82a8236b06bdda9883367606
Author: Jacques Le Roux
AuthorDate: Wed Jun 9 10:51:34 2021 +0200
Fixed: XSS vulnerability for ListWorkEfforts form (OFBIZ-12254)
If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be
vulnerable
to XSS attack, because of incomplete escaping.
Steps to reproduce:
1. Turn off `sanitizer.enable` in owasp.properties
2. Create a WorkEffort entity with name as `alert(1)`
3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort
4. Search for "Work Effort Name" which contains "script"
Thanks: Xin Wang
---
themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
index 0923033..b391727 100644
--- a/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
+++ b/themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
@@ -710,7 +710,7 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
data-dialog-url="${linkUrl}"
<#if text?has_content>data-dialog-title="${text}"
<#if linkStyle?has_content>class="${linkStyle}">
-<#if description?has_content>${description}
+<#if description?has_content>${description?html}
<#else>
class="${linkStyle}"
href="${linkUrl}"<#if targetWindow?has_content>
target="${targetWindow}"
@@ -718,6 +718,6 @@ Parameter: delegatorName, String, optional - name of the
delegator in context.
<#if confirmation?has_content>
data-confirm-message="${confirmation}"
<#if id?has_content> id="${id}"
<#if imgSrc?length == 0 && title?has_content> title="${title}">
- <#if imgSrc?has_content>${description}
+ <#if imgSrc?has_content>${description?html}
