[ https://issues.apache.org/jira/browse/OFBIZ-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-1970. ---------------------------------- Resolution: Duplicate There are already a lot of issues open about thid subject > unescaped html special characters create problems in pages > ---------------------------------------------------------- > > Key: OFBIZ-1970 > URL: https://issues.apache.org/jira/browse/OFBIZ-1970 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk, Release Branch 4.0 > Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on > Intel CoreDuo 1.8Gz, 2GB of RAM > Reporter: ian tabangay > Priority: Minor > > HTML specific characters (like ' & " > < /) are unescaped when rendered. This > creates problems for rendering pages that interacts with javascripts. Note > that this bug is the same to a previous issue regarding unescaped special > characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug > also prone to all sorts of HTML injection hacks. HTML and javascript codes > may be set as a value to an input field. Browsers shall render these as if > part of the form. > I suggest escaping values when a page is being rendered. This will remove the > hassle of data migration for the database to fix values with unescaped HTML > characters. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.