Uploaded image for project: 'Magnolia Form Module'
  1. Magnolia Form Module
  2. MGNLFORM-278

XSS escaping breaks plain text email readability

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Neutral Neutral
    • 2.3.5
    • 2.3.2
    • None
    • Saigon 34
    • 8

      DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded.
      You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field.
      I had to release, so i fixed this by overriding method sendMail in both SendContactEMailProcessor and SendConfirmationEMailProcessor with the following code.

      if ("text".equals(contentType)) {
	for (final String key : parameters.keySet()) {
		final Object value = parameters.get(key);
		if (value instanceof String) {
			parameters.put(key, EscapeUtil.unescapeXss((String) value));
		}
	}
}
super.sendMail(body, from, subject, to, contentType, parameters);

      At least the code snippet could be put in AbstractEMailFormProcessor, unless there's a better way to do so.

        Acceptance criteria

              oanh.thai Oanh Thai Hoang
              vgombert Vincent Gombert
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD

                    Estimated:
                    Original Estimate - 5d
                    5d
                    Remaining:
                    Time Spent - 1d 7.75h Remaining Estimate - 3d 0.25h
                    3d 0.25h
                    Logged:
                    Time Spent - 1d 7.75h Remaining Estimate - 3d 0.25h
                    1d 7.75h