Loading...

XML

Word

Printable

Type: Bug
Resolution: Outdated
Priority: Major
Fix Version/s: None
Affects Version/s: 4.3.6
Component/s: admininterface
Labels:
None

Template:
Acceptance criteria:

Empty

show more show less
Task DoD:

show more show less
Bug DoR:

show more show less

To reproduce this incorrect behaviour:

Choose any textual / HTML property in AdminCentral.
Double-click on its value.
If it does not contain any HTML yet, put some tag (like '<i>...</i>') around a word.
Either click on some other entry or press the Enter key to store the new value.

Result: The new value will be rendered as HTML, e.g. the <i>word</i> will be italicized. (This is a mild case of cross-site scripting / XSS.)

Expected: The new value should be shown as plain text.

Possible reason: The value is not HTML escaped at some point or is escaped at the wrong point.

Acceptance criteria

caused by

MAGNOLIA-3205 Full name column in user tree renders full html

Closed

is related to

MAGNOLIA-1897 HTML Tags in Page Titles Should Be Escaped in Admin Interface

Closed

Assignee:: Philipp Bärfuss

Reporter:: Felix Rabe

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 05/Oct/10 4:16 PM

Updated:: 04/Aug/15 10:54 AM

Resolved:: 04/Aug/15 10:54 AM

Date of First Response:: 04/Aug/15 10:54 AM

Bug DoR

Task DoD