[MGNLFORM-278] XSS escaping breaks plain text email readability Created: 12/Jan/16 Updated: 14/Mar/16 Resolved: 10/Mar/16 |
|
| Status: | Closed |
| Project: | Magnolia Form Module |
| Component/s: | None |
| Affects Version/s: | 2.3.2 |
| Fix Version/s: | 2.3.5 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Vincent Gombert | Assignee: | Oanh Thai Hoang |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | support | ||
| Remaining Estimate: | 3d 0.25h | ||
| Time Spent: | 1d 7.75h | ||
| Original Estimate: | 5d | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||
| Date of First Response: | |||||
| Sprint: | Saigon 34 | ||||
| Story Points: | 8 | ||||
| Description |
|
DefaultFormDataBinder uses XSS escaping to transform form values. This is fine for HTML email but not for plain text email because the HTML entities are not decoded. if ("text".equals(contentType)) { for (final String key : parameters.keySet()) { final Object value = parameters.get(key); if (value instanceof String) { parameters.put(key, EscapeUtil.unescapeXss((String) value)); } } } super.sendMail(body, from, subject, to, contentType, parameters); At least the code snippet could be put in AbstractEMailFormProcessor, unless there's a better way to do so. |