[MGNLSTK-1095] Escape values for rendering, don't escape already escaped values - 4.5 Created: 15/Feb/13  Updated: 02/Aug/13  Resolved: 28/Feb/13

Status: Closed
Project: Magnolia Standard Templating Kit (closed)
Component/s: templates
Affects Version/s: 2.0
Fix Version/s: 2.0.9

Type: Bug Priority: Critical
Reporter: Roman Kovařík Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
clones MGNLSTK-1092 Most of values in FTL templates shoul... Closed
is cloned by MGNLSTK-1105 Escape values for rendering, don't es... Closed
causality
is causing MGNLSTK-1152 Image description is rendered incorre... Closed
dependency
depends upon MAGNOLIA-4866 Make sure every node and property ret... Closed
depends upon MAGNOLIA-4867 Throw IAE in DelegateNodeWrapper.setW... Closed
depends upon MGNLSTK-1101 Wrap nodes with HTMLEscapingNodeWrapp... Closed
relation
is related to MAGNOLIA-4011 Exclusion of nodes not working on inh... Closed
is related to MGNLSTK-1214 stkTemplatingFunctions.getAssetLink()... Closed
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

Due to changes by MGNLSTK-1101 and MAGNOLIA-4866 are most of values in FTL templates already escaped.

  • remove escaping from templates

Cover the cases where are values still not escaped:

  1. Nodes taken by Identifier in model classes.
  2. Contents taken by queries.
  3. Assets.


 Comments   
Comment by Jan Haderka [ 19/Feb/13 ]

Actually, all (or most anyway) of escaping should be done (and was in the past) by rendering engine. If this is not happening (and it seems to be the case) this issue should be re-fixed in rendering engine and not in the individual templates. I have suspicion that it is related to changes made for MAGNOLIA-4011 that forces unwrapping for the rendering context before rendering, but the node on which such unwrapping happens seems to be a reference to the node passed into freemarker renderer which is then also unwrapped and doesn't escape html properly. Please try to look into it (or ask for help if stuck).

Comment by Roman Kovařík [ 22/Feb/13 ]

MAGNOLIA-4810 bug causes also XSS vulnerability of some models (SiteNavigationModel for example):

Node root = (Node)currentNode.getAncestor(startLevel);
...
return new NavigationModel(root, currentNode, getVerticalLevel(), allOpen, rootIsHome);

root node is unwrapped even if currentNode is.

Comment by Roman Kovařík [ 27/Feb/13 ]

Port to master is registered under MGNLSTK-1105.

Comment by Jan Haderka [ 27/Feb/13 ]

Actually I think the title no longer matches what was really done in this issue. Could you please update it?

Generated at Mon Feb 12 07:33:20 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.