OFBiz OFBiz - Notifications

[jira] [Comment Edited] (OFBIZ-10356) display of entities in text input field

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Comment Edited] (OFBIZ-10356) display of entities in text input field

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-10356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446622#comment-16446622 ]

Swapnil M Mane edited comment on OFBIZ-10356 at 4/21/18 4:09 AM:
-----------------------------------------------------------------

Thanks [~rmallah] for reporting this issue.

Hi team,

Special character in the product name is shown due to HTML escaping in the code.

ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/>
{code}
This change was intentional, done by [~jacques.le.roux] many years ago at [r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue.
 I guess this change was done to protect from Script Injection Attacks.

IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this code, thank you!


was (Author: swapnilmmane):
Thanks [~rmallah] for reporting this issue.

Hi team,

Special character in the product name is shown due to HTML escaping in the code.

ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/>
{code}
This change was intentional, done by Jacques many years ago at [r490268|https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue.
 I guess this change was done to protect from Script Injection Attacks.

IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this code, thank you!

> display of entities in text input field
> ---------------------------------------
>
>                 Key: OFBIZ-10356
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10356
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: product
>            Reporter: Rajesh Kumar Mallah
>            Assignee: Swapnil M Mane
>            Priority: Minor
>
>  
> In the url:
> [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1006-1]
>  
> the "Product Name" under "Override Simple Fields" is unnecessarily
> expressed in entity format . The string displayed in product name
> field is: "Open Gizmo &#x28;LGPL&#x29;"  it could have been a
> simple "Open Gizmo (LGPL)"
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Free forum by Nabble Edit this page