-
Improvement
-
Resolution: Fixed
-
Neutral
-
2.2.5
-
None
-
-
Empty show more show less
-
Yes
The form module html escapes by default inputs. This is in certain situations not good.
Clearly in the password field, as it won't store the PW with allowed characters different than the 1:1 input. This leads to problems when reusing the PW also for other systems.
Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store
Research & Development
becomes
Research & Development
The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method:
final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__"));
Suggested solution:
All form fields should be html escaped to prevent XSS attacks.
But allow a configuration on the form field to disable it for this specific field.
- is causing
-
MGNLFORM-267 Form templates created by yaml don't work
- Closed
- is depended upon by
-
MGNLPUR-142 Password inputs should not be escaped or encoded
- Closed
- is duplicated by
-
MGNLFORM-243 HTML is escaped in form fields resulting in HTML characters in passwords (and other fields) ending up in JCR in their escaped form
- Closed