[MAGNOLIA-5624] UTF-8 characters are converted to html entities and escaped so they don't show correctly Created: 17/Dec/13 Updated: 24/Jun/14 Resolved: 22/Jan/14 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | None |
| Fix Version/s: | 5.2.2 |
| Type: | Bug | Priority: | Major |
| Reporter: | Jan Haderka | Assignee: | Federico Grilli |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | support | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | 10m | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
Create external link and set title to something w/ national chars e.g. "über". As result über will be rendered instead. |
| Comments |
| Comment by Federico Grilli [ 14/Jan/14 ] |
|
Problem is that the property is wrapped into a HTMLEscapingPropertyWrapper which uses HTMLEscapingContentDecorator. The latter uses StringEscapeUtils.escapeHtml(..) to decorate the property which "supports all known HTML 4.0 entities, including funky accents." In our case what we need is simply to escape a few characters in order to prevent XSS attacks see rule #1 at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules |
| Comment by Federico Grilli [ 15/Jan/14 ] |
|
Had to use a custom escape method because it looks like there's no lib around doing what we want, apart from Spring's HtmlUtils (and I didn't want to introduce a dep on Spring in core, of course). |
| Comment by Roman Kovařík [ 22/Jan/14 ] |
|
Would it be possible to move escaping function to info.magnolia.util.EscapeUtil so we would keep escaping functions in one place? |