[
https://issues.apache.org/jira/browse/OFBIZ-10356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16446622#comment-16446622 ]
Swapnil M Mane commented on OFBIZ-10356:
----------------------------------------
Thanks [~rmallah] for reporting this issue.
Hi team,
Special character in the product name is shown due to HTML escaping in the code.
ofbiz/applications/product/template/product/EditProductContent.ftl at line 48
{code:java}
<input type="text" name="productName" value="${(product.productName?html)!}" size="30" maxlength="60"/>
{code}
This change was intentional, done by Jacques many years ago at [r490268|
https://lists.apache.org/thread.html/3a9cf63564e4a29eff76b70cba4933ac846cb08f92648b021cb61726@1167115681@%3Ccommits.ofbiz.apache.org%3E] to fix an issue.
I guess this change was done to protect from Script Injection Attacks.
IMO, trusted authorized users have permission to change the product attributes (here name), so I think we can remove the Auto-escaping of HTML, i.e.
{code:java}
<input type="text" name="productName" value="${(product.productName)!}" size="30" maxlength="60"/>
{code}
I would like to know the community thoughts on removing HTML escaping from this code, thank you!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
