[
https://issues.apache.org/jira/browse/OFBIZ-5847?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14298110#comment-14298110 ]
Leon commented on OFBIZ-5847:
-----------------------------
Hi, Jacques,
I have test it with new ESAPI (2.1), but the problem still occurs.
Seems ESAPI treats the html entity without trailing semicolon same as with that.
See
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/org/owasp/esapi/reference/DefaultEncoder.html#canonicalize(java.lang.String, it's doc for 1.4.4, however the related source does not change more in new release. There's a note like "Note that all of these formats may possibly render properly in a browser without the trailing semicolon."
> If define the & and combine with "part" that encode to ∂
> ------------------------------------------------------------
>
> Key: OFBIZ-5847
> URL:
https://issues.apache.org/jira/browse/OFBIZ-5847> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS
> Affects Versions: Trunk
> Reporter: Supachai Chaima-ngua
> Assignee: Nicolas Malin
> Labels: encode, url
> Fix For: Trunk, 12.04.06, 13.07.02
>
> Attachments: OFBIZ-5847.patch, OFBiz WorkEffort Manager Calendar.png
>
>
> XML widget problems: If define the & and combine with "part" that encode to ∂
> Example >>>
> BEFORE: viewprofile?status=Y&partyId=Demo
> AFTER: viewprofile?status=Y∂yId=Demo
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
