[MGNLFORM-236] Html escaping of form fields should be configurable Created: 11/Aug/14 Updated: 28/Jul/15 Resolved: 06/Oct/14 |
|
| Status: | Closed |
| Project: | Magnolia Form Module |
| Component/s: | None |
| Affects Version/s: | 2.2.5 |
| Fix Version/s: | 2.2.7 |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Christian Ringele | Assignee: | Milan Divilek |
| Resolution: | Fixed | Votes: | 3 |
| Labels: | support | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||
| Release notes required: |
Yes
|
||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||
| Description |
|
The form module html escapes by default inputs. This is in certain situations not good. Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store Research & Development becomes Research & Development The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method: final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__")); Suggested solution: |
| Comments |
| Comment by Tomáš Gregovský [ 18/Aug/14 ] |
|
found same with ' (apostroph). ' and this fails on info.magnolia.module.form.validators.NoHTMLValidator: 47: return !StringUtils.containsAny(value, "<>&"); |
| Comment by Edgar Vonk [ 07/Sep/14 ] |
|
Hi Magnolia, is there any news on this issue? For us it really makes the Magnolia Form Module very hard to use as we really need to support special characters. Note that this issue has nothing to do with the 'nohtml' validator. It is just the HTML escaping of the form module of all form fields which I think is a naive way of trying to prevent XSS attacks. In order to prevent XSS attacks you should perform output escaping and input validation but not escaping the input before you put it into the database in my opinion. Well, you could do but then you would need to offer an easy way for your users to unescape these values again.. |
| Comment by Federico Grilli [ 17/Sep/14 ] |
|
add config and MVH |
| Comment by Philip Mundt [ 07/Oct/14 ] |
|
On a side note: PasswordValidator & NoHTMLValidator do not allow chars like "&". Once those validators are turned off, the escaping mechanism can be used/tested. |
| Comment by Roman Kovařík [ 28/Jul/15 ] |
|
Git commits: https://git.magnolia-cms.com/gitweb/?p=modules%2Fform.git&a=search&h=HEAD&st=commit&s=MGNLFORM-236 |