[MGNLFORM-236] Html escaping of form fields should be configurable Created: 11/Aug/14  Updated: 28/Jul/15  Resolved: 06/Oct/14

Status: Closed
Project: Magnolia Form Module
Component/s: None
Affects Version/s: 2.2.5
Fix Version/s: 2.2.7

Type: Improvement Priority: Neutral
Reporter: Christian Ringele Assignee: Milan Divilek
Resolution: Fixed Votes: 3
Labels: support
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
is causing MGNLFORM-267 Form templates created by yaml don't ... Closed
dependency
is depended upon by MGNLPUR-142 Password inputs should not be escaped... Closed
duplicate
is duplicated by MGNLFORM-243 HTML is escaped in form fields result... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Date of First Response:

 Description   

The form module html escapes by default inputs. This is in certain situations not good.
Clearly in the password field, as it won't store the PW with allowed characters different than the 1:1 input. This leads to problems when reusing the PW also for other systems.

Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store

Research & Development

becomes

Research & Development

The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method:

final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__"));

Suggested solution:
All form fields should be html escaped to prevent XSS attacks.
But allow a configuration on the form field to disable it for this specific field.



 Comments   
Comment by Tomáš Gregovský [ 18/Aug/14 ]

found same with ' (apostroph).
On corporate website on demo registration form we have text area field for message and this has 'nohtml' validations. But if someone just put here text like "It's me" it fails because ' is escaped to

 '

and this fails on info.magnolia.module.form.validators.NoHTMLValidator:

47:         return !StringUtils.containsAny(value, "<>&");
Comment by Edgar Vonk [ 07/Sep/14 ]

Hi Magnolia, is there any news on this issue? For us it really makes the Magnolia Form Module very hard to use as we really need to support special characters. Note that this issue has nothing to do with the 'nohtml' validator. It is just the HTML escaping of the form module of all form fields which I think is a naive way of trying to prevent XSS attacks. In order to prevent XSS attacks you should perform output escaping and input validation but not escaping the input before you put it into the database in my opinion. Well, you could do but then you would need to offer an easy way for your users to unescape these values again..

Comment by Federico Grilli [ 17/Sep/14 ]

add config and MVH

Comment by Philip Mundt [ 07/Oct/14 ]

On a side note: PasswordValidator & NoHTMLValidator do not allow chars like "&". Once those validators are turned off, the escaping mechanism can be used/tested.

Comment by Roman Kovařík [ 28/Jul/15 ]

Git commits: https://git.magnolia-cms.com/gitweb/?p=modules%2Fform.git&a=search&h=HEAD&st=commit&s=MGNLFORM-236

Generated at Mon Feb 12 05:38:13 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.