[
https://issues.apache.org/jira/browse/OFBIZ-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-1970.
----------------------------------
Resolution: Duplicate
There are already a lot of issues open about thid subject
> unescaped html special characters create problems in pages
> ----------------------------------------------------------
>
> Key: OFBIZ-1970
> URL: https://issues.apache.org/jira/browse/OFBIZ-1970
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk, Release Branch 4.0
> Environment: Ofbiz rev 699187, Windows XP, postgresql-8.2-504 on
> Intel CoreDuo 1.8Gz, 2GB of RAM
> Reporter: ian tabangay
> Priority: Minor
>
> HTML specific characters (like ' & " > < /) are unescaped when rendered. This
> creates problems for rendering pages that interacts with javascripts. Note
> that this bug is the same to a previous issue regarding unescaped special
> characters (see https://issues.apache.org/jira/browse/OFBIZ-1133). This bug
> also prone to all sorts of HTML injection hacks. HTML and javascript codes
> may be set as a value to an input field. Browsers shall render these as if
> part of the form.
> I suggest escaping values when a page is being rendered. This will remove the
> hassle of data migration for the database to fix values with unescaped HTML
> characters.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
