<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 07:33:21 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLSTK-1095] Escape values for rendering, don&apos;t escape already escaped values - 4.5</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLSTK-1095</link>
                <project id="10287" key="MGNLSTK">Magnolia Standard Templating Kit (closed)</project>
                    <description>&lt;p&gt;Due to changes by &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSTK-1101&quot; title=&quot;Wrap nodes with HTMLEscapingNodeWrapper before rendering - 2.0.x&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLSTK-1101&quot;&gt;&lt;del&gt;MGNLSTK-1101&lt;/del&gt;&lt;/a&gt; and &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-4866&quot; title=&quot;Make sure every node and property returned by HTML or I18N wrappers are wrapped&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-4866&quot;&gt;&lt;del&gt;MAGNOLIA-4866&lt;/del&gt;&lt;/a&gt; are most of values in FTL templates already escaped.&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;remove escaping from templates&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Cover the cases where are values still not escaped:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Nodes taken by &lt;b&gt;Identifier&lt;/b&gt; in model classes.&lt;/li&gt;
	&lt;li&gt;Contents taken by &lt;b&gt;queries&lt;/b&gt;.&lt;/li&gt;
	&lt;li&gt;Assets.&lt;/li&gt;
&lt;/ol&gt;
</description>
                <environment></environment>
        <key id="28025">MGNLSTK-1095</key>
            <summary>Escape values for rendering, don&apos;t escape already escaped values - 4.5</summary>
                <type id="1" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10883&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/critical.svg">Critical</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="1">Fixed</resolution>
                                        <assignee username="rkovarik">Roman Kova&#345;&#237;k</assignee>
                                    <reporter username="rkovarik">Roman Kova&#345;&#237;k</reporter>
                        <labels>
                    </labels>
                <created>Fri, 15 Feb 2013 07:48:27 +0100</created>
                <updated>Fri, 2 Aug 2013 08:31:45 +0200</updated>
                            <resolved>Thu, 28 Feb 2013 08:16:19 +0100</resolved>
                                    <version>2.0</version>
                                    <fixVersion>2.0.9</fixVersion>
                                    <component>templates</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="57913" author="had" created="Tue, 19 Feb 2013 11:35:52 +0100"  >&lt;p&gt;Actually, all (or most anyway) of escaping should be done (and was in the past) by rendering engine. If this is not happening (and it seems to be the case) this issue should be re-fixed in rendering engine and not in the individual templates. I have suspicion that it is related to changes made for &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-4011&quot; title=&quot;Exclusion of nodes not working on inheritable page components&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-4011&quot;&gt;&lt;del&gt;MAGNOLIA-4011&lt;/del&gt;&lt;/a&gt; that forces unwrapping for the rendering context before rendering, but the node on which such unwrapping happens seems to be a reference to the node passed into freemarker renderer which is then also unwrapped and doesn&apos;t escape html properly. Please try to look into it (or ask for help if stuck).&lt;/p&gt;</comment>
                            <comment id="58119" author="rkovarik" created="Fri, 22 Feb 2013 13:31:19 +0100"  >&lt;p&gt;&lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-4810&quot; title=&quot;Wrappers don&amp;#39;t wrap everything what should be wrapped&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-4810&quot;&gt;&lt;del&gt;MAGNOLIA-4810&lt;/del&gt;&lt;/a&gt; bug causes also XSS vulnerability of some models (SiteNavigationModel for example):&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
Node root = (Node)currentNode.getAncestor(startLevel);
...
&lt;span class=&quot;code-keyword&quot;&gt;return&lt;/span&gt; &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; NavigationModel(root, currentNode, getVerticalLevel(), allOpen, rootIsHome);
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;b&gt;root&lt;/b&gt; node is unwrapped even if &lt;b&gt;currentNode&lt;/b&gt; is.&lt;/p&gt;</comment>
                            <comment id="58371" author="rkovarik" created="Wed, 27 Feb 2013 08:54:13 +0100"  >&lt;p&gt;Port to master is registered under &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSTK-1105&quot; title=&quot;Escape values for rendering, don&amp;#39;t escape already escaped values - port to master&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLSTK-1105&quot;&gt;&lt;del&gt;MGNLSTK-1105&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="58465" author="had" created="Wed, 27 Feb 2013 22:38:53 +0100"  >&lt;p&gt;Actually I think the title no longer matches what was really done in this issue. Could you please update it?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10030">
                    <name>Cloners</name>
                                            <outwardlinks description="clones">
                                        <issuelink>
            <issuekey id="27762">MGNLSTK-1092</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is cloned by">
                                        <issuelink>
            <issuekey id="28378">MGNLSTK-1105</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10040">
                    <name>causality</name>
                                                                <inwardlinks description="is causing">
                                        <issuelink>
            <issuekey id="29612">MGNLSTK-1152</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10020">
                    <name>dependency</name>
                                            <outwardlinks description="depends upon">
                                        <issuelink>
            <issuekey id="28313">MAGNOLIA-4866</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="28314">MAGNOLIA-4867</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="28212">MGNLSTK-1101</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10010">
                    <name>relation</name>
                                            <outwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="23354">MAGNOLIA-4011</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="32143">MGNLSTK-1214</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 19 Feb 2013 11:35:52 +0100</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>false</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>mmuehlebach</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            10 years, 51 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>had</customfieldvalue>
            <customfieldvalue>rkovarik</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i00njz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3866</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>