[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358120#comment-17358120 ]

Xin Wang commented on OFBIZ-12249:
----------------------------------

Hi Jacques,

Seems that following example will be rejected by this new patch:
{quote}blah blah blah ... (see [http://example.com/a%20link]) ...
{quote}
I think that for free-form text input widgets, it is really hard to guess what kind of text will be submitted. What we can do is output encoding, instead of input sanitization.

> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
>                 Key: OFBIZ-12249
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12249
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Trunk
>            Reporter: Xin Wang
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-12249.patch
>
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

kalyl
The example provided is a free-form text input containing a URL Among Us Unblocked link encoded with URL encoding (%20 for space). Xin Wang suggests that for free-form text input widgets, it is difficult to predict the exact content that will be submitted. Instead of input sanitization, they propose output encoding to address the issue.
Reply | Threaded
Open this post in threaded view
|

Re: [jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

sanakhan
This post was updated on .
In reply to this post by Nicolas Malin (Jira)
The Ghaziabad call girls were super cooperative throughout my stay at the customer's hotel In-room to takes this task very seriously and with vigour and so they provide all possible sexual services that a man wants and needs. Our female upper-class family background  Ghaziabad Escorts  belongs to a dignified environment and hence you can expect good behaviour and polite conversation from them as well.