![]() |
|
|
|
|
Change By:
|
Christian Ringele
(11/Aug/14 1:57 PM)
|
|
Description:
|
The form module html escapes by default inputs. This is in certain situations not good.
Clearly in the password field, as it won't store the PW with allowed characters different than the 1:1 input. This leads to problems when reusing the PW also for other systems.
Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store {code}Research & Development{code} becomes {code}Research & Development{code}
.
The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method:
{code}
final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__"));
{code}
Suggested solution:
All form fields should be html escaped to prevent XSS attacks.
But allow a configuration on the form field to disable it for this specific field.
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------
