Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3308

HTML rendered / not escaped when entered in AdminCentral

    XMLWordPrintable

Details

    • Bug
    • Resolution: Outdated
    • Major
    • None
    • 4.3.6
    • admininterface
    • None

    Description

      To reproduce this incorrect behaviour:

      • Choose any textual / HTML property in AdminCentral.
      • Double-click on its value.
      • If it does not contain any HTML yet, put some tag (like '<i>...</i>') around a word.
      • Either click on some other entry or press the Enter key to store the new value.

      Result: The new value will be rendered as HTML, e.g. the <i>word</i> will be italicized. (This is a mild case of cross-site scripting / XSS.)

      Expected: The new value should be shown as plain text.

      Possible reason: The value is not HTML escaped at some point or is escaped at the wrong point.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                pbaerfuss Philipp Bärfuss
                frabe Felix Rabe
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD