OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17357899#comment-17357899 ]

Jacques Le Roux commented on OFBIZ-12249:
-----------------------------------------

Hi Wang,

I suggest this patch [^OFBIZ-12249.patch] It's a bit restrictive and would not work with your example because it uses Commons Validator {{UrlValidator.getInstance().isValid}} wich calls #isValidAuthority() checking that the domain is valid. I believe it's OK. In case where a fake URL would be needed (for test for instance) UtilValidate::isUrl can be used instead.

About XSS prevention, have a look at UtilCodec::checkStringForHtmlStrictNone and UtilCodec::checkStringForHtmlSafe, HTH

> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
> Key: OFBIZ-12249
> URL: https://issues.apache.org/jira/browse/OFBIZ-12249
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Reporter: Xin Wang
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-12249.patch
>
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>
>

--
This message was sent by Atlassian Jira
(v8.3.4#803005)