incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <j...@apache.org>
Subject [jira] Closed: (JSPWIKI-197) Html Tags in resource bundles were escaped unexpectedly
Date Sun, 04 Jan 2009 18:09:44 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Harry Metske closed JSPWIKI-197.
--------------------------------

    Resolution: Won't Fix

Yup, revision 626797 introduced the TextUtil.replaceEntities() because of an XSS vulnerability

> Html Tags in resource bundles were escaped unexpectedly 
> --------------------------------------------------------
>
>                 Key: JSPWIKI-197
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-197
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Core & storage
>    Affects Versions: 2.6.0
>            Reporter: David Gao
>
> *Description*
> The HTML tags in resource bundles (*.properties) do not work in final jsp output pages.
The tags in output pages are shown literally. They ought to function as what normal HTML tags
do.
> *Root Reason*
> *com.ecyrd.jspwiki.tags.MessagesTag.doWikiStartTag()* unnecessarily replaces all incoming
HTML entities. The _TextUtil.replaceEntities()_ should not be used here.
> *Solution*
> Remove the _TextUtil.replaceEntities()_ method in the _MessagesTag.java_ file.
> *Expected Result*
> The HTML tags in resource bundles (*.properties) should work normally in jsp output pages.
For example, the tag "<br/>" in messages will produce a line break instead of show the
tag literally.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message