[
https://issues.apache.org/jira/browse/JSPWIKI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harry Metske closed JSPWIKI-197.
--------------------------------
Resolution: Won't Fix
Yup, revision 626797 introduced the TextUtil.replaceEntities() because of an
XSS vulnerability
> Html Tags in resource bundles were escaped unexpectedly
> --------------------------------------------------------
>
> Key: JSPWIKI-197
> URL: https://issues.apache.org/jira/browse/JSPWIKI-197
> Project: JSPWiki
> Issue Type: Bug
> Components: Core & storage
> Affects Versions: 2.6.0
> Reporter: David Gao
>
> *Description*
> The HTML tags in resource bundles (*.properties) do not work in final jsp
> output pages. The tags in output pages are shown literally. They ought to
> function as what normal HTML tags do.
> *Root Reason*
> *com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces
> all incoming HTML entities. The _TextUtil.replaceEntities()_ should not be
> used here.
> *Solution*
> Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.
> *Expected Result*
> The HTML tags in resource bundles (*.properties) should work normally in jsp
> output pages. For example, the tag "<br/>" in messages will produce a line
> break instead of show the tag literally.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
