[ https://issues.apache.org/jira/browse/OFBIZ-10356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446622#comment-16446622 ]
Swapnil M Mane edited comment on OFBIZ-10356 at 4/21/18 4:09 AM: ----------------------------------------------------------------- Thanks [~rmallah] for reporting this issue. Hi team, Special character in the product name is shown due to HTML escaping in the code. ofbiz/applications/product/template/product/EditProductContent.ftl at line 48 {code:java} <input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/> {code} This change was intentional, done by [~jacques.le.roux] many years ago at [r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue. I guess this change was done to protect from Script Injection Attacks. IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e. {code:java} <input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/> {code} I would like to know the community thoughts on removing HTML escaping from this code, thank you! was (Author: swapnilmmane): Thanks [~rmallah] for reporting this issue. Hi team, Special character in the product name is shown due to HTML escaping in the code. ofbiz/applications/product/template/product/EditProductContent.ftl at line 48 {code:java} <input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/> {code} This change was intentional, done by Jacques many years ago at [r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue. I guess this change was done to protect from Script Injection Attacks. IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e. {code:java} <input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/> {code} I would like to know the community thoughts on removing HTML escaping from this code, thank you! > display of entities in text input field > --------------------------------------- > > Key: OFBIZ-10356 > URL: https://issues.apache.org/jira/browse/OFBIZ-10356 > Project: OFBiz > Issue Type: Improvement > Components: product > Reporter: Rajesh Kumar Mallah > Assignee: Swapnil M Mane > Priority: Minor > > > In the url: > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1006-1] > > the "Product Name" under "Override Simple Fields" is unnecessarily > expressed in entity format . The string displayed in product name > field is: "Open Gizmo (LGPL)" it could have been a > simple "Open Gizmo (LGPL)" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)