[MAGNOLIA-3308] HTML rendered / not escaped when entered in AdminCentral Created: 05/Oct/10  Updated: 04/Aug/15  Resolved: 04/Aug/15

Status: Closed
Project: Magnolia
Component/s: admininterface
Affects Version/s: 4.3.6
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Felix Rabe Assignee: Philipp Bärfuss
Resolution: Outdated Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
caused by MAGNOLIA-3205 Full name column in user tree renders... Closed
relation
is related to MAGNOLIA-1897 HTML Tags in Page Titles Should Be Es... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

To reproduce this incorrect behaviour:

  • Choose any textual / HTML property in AdminCentral.
  • Double-click on its value.
  • If it does not contain any HTML yet, put some tag (like '<i>...</i>') around a word.
  • Either click on some other entry or press the Enter key to store the new value.

Result: The new value will be rendered as HTML, e.g. the <i>word</i> will be italicized. (This is a mild case of cross-site scripting / XSS.)

Expected: The new value should be shown as plain text.

Possible reason: The value is not HTML escaped at some point or is escaped at the wrong point.



 Comments   
Comment by Felix Rabe [ 15/Oct/10 ]

Currently, if I change a value, it shows escaped as it should. If I double-click on the value and then press the Enter or Escape key without changing anything, it shows unescaped/rendered as I reported.

This is reproducible: change a value => it will be escaped; keep same value => it will not be escaped.

Comment by Michael Mühlebach [ 04/Aug/15 ]

We're closing this issue as outdated as it was reported for 4.4.x or earlier versions which are no longer supported. Don't hesitate to reopen or create a new ticket in case this is still relevant and you'll experience it on 4.5.x or later versions.

Generated at Mon Feb 12 03:45:14 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.