[MGNLFORM-278] XSS escaping breaks plain text email readability Created: 12/Jan/16  Updated: 14/Mar/16  Resolved: 10/Mar/16

Status: Closed
Project: Magnolia Form Module
Component/s: None
Affects Version/s: 2.3.2
Fix Version/s: 2.3.5

Type: Bug Priority: Neutral
Reporter: Vincent Gombert Assignee: Oanh Thai Hoang
Resolution: Fixed Votes: 0
Labels: support
Remaining Estimate: 3d 0.25h
Time Spent: 1d 7.75h
Original Estimate: 5d

Issue Links:
Relates
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Sprint: Saigon 34
Story Points: 8

 Description   

DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded.
You can easily reproduce this problem with travel demo contact page, when using quotes (single or double) on subject or message field.
I had to release, so i fixed this by overriding method sendMail in both SendContactEMailProcessor and SendConfirmationEMailProcessor with the following code.

if ("text".equals(contentType)) {
	for (final String key : parameters.keySet()) {
		final Object value = parameters.get(key);
		if (value instanceof String) {
			parameters.put(key, EscapeUtil.unescapeXss((String) value));
		}
	}
}
super.sendMail(body, from, subject, to, contentType, parameters);

At least the code snippet could be put in AbstractEMailFormProcessor, unless there's a better way to do so.


Generated at Mon Feb 12 05:38:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.