Uploaded image for project: 'Magnolia Form Module'
  1. Magnolia Form Module
  2. MGNLFORM-243

HTML is escaped in form fields resulting in HTML characters in passwords (and other fields) ending up in JCR in their escaped form

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Duplicate
    • Neutral
    • None
    • None
    • None
    • None

    Description

      A customer who looked deep into the Form module validation and field value submission rose this topic (SUPPORT-3873):

      1. As for preventing XSS attacks in the form module all inputs are html escaped,
      a similar approach should also be considered within the AdminCentral forms. In the AdminCentral all form fields are open to XSS attacks.
      It would be favorable, it the used solution would be aligned/comparable to the (new) implementation used in the form module.

      2. Which leads to the second points:
      He suggests to rethink the XSS html escaping implementation currently used in the form module. It might not be the best way to prevent such attacks.

      As this topic is involving two modules, I created it here in the UI section (point 1 seems more important).

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                fgrilli Federico Grilli
                cringele Christian Ringele
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD