[MAGNOLIA-5624] UTF-8 characters are converted to html entities and escaped so they don't show correctly Created: 17/Dec/13  Updated: 24/Jun/14  Resolved: 22/Jan/14

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: None
Fix Version/s: 5.2.2

Type: Bug Priority: Major
Reporter: Jan Haderka Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 0d
Time Spent: 10m
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MAGNOLIA-5820 CLONE - UTF-8 characters are converte... Closed
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Create external link and set title to something w/ national chars e.g. "über". As result &uumlber will be rendered instead.



 Comments   
Comment by Federico Grilli [ 14/Jan/14 ]

Problem is that the property is wrapped into a HTMLEscapingPropertyWrapper which uses HTMLEscapingContentDecorator. The latter uses StringEscapeUtils.escapeHtml(..) to decorate the property which "supports all known HTML 4.0 entities, including funky accents." In our case what we need is simply to escape a few characters in order to prevent XSS attacks see rule #1 at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules

Comment by Federico Grilli [ 15/Jan/14 ]

Had to use a custom escape method because it looks like there's no lib around doing what we want, apart from Spring's HtmlUtils (and I didn't want to introduce a dep on Spring in core, of course).

Comment by Roman Kovařík [ 22/Jan/14 ]

Would it be possible to move escaping function to info.magnolia.util.EscapeUtil so we would keep escaping functions in one place?

Generated at Mon Feb 12 04:06:51 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.