OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission

[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358279#comment-17358279 ]

Xin Wang commented on OFBIZ-12249:
----------------------------------

Hi Jacques,

Sorry that I post an invalid example, you can have a try with following one:

blah blah blah ... (http://example.com/a%20link) ...

BTW, if we do not call `canonicalizeParameter' for parts of the text, and without fully output encoding, it may open a security hole.

If we do output encoding completely, any text can be accepted, so my point is that we should accept any text user submitted for free-form text input widgets, and encode that properly before html rendering.

> Unexpected decoding of url encoded textarea data after submission
> ------------------------------------------------------------------
>
> Key: OFBIZ-12249
> URL: https://issues.apache.org/jira/browse/OFBIZ-12249
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: Trunk
> Reporter: Xin Wang
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: Image 005.png, OFBIZ-12249.patch
>
>
> When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>
>

--
This message was sent by Atlassian Jira
(v8.3.4#803005)