incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harry Metske (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-485) & in notes for page history
Date Mon, 02 Feb 2009 17:08:00 GMT


Harry Metske commented on JSPWIKI-485:

The notes in the history were vulnerable to XSS (see JSPWIKI-319), this was solved by replacing
characters with TextUtil.replaceEntities()
To be honest I don't know if pageNames are also vulnerable to XSS....

> & in notes for page history
> ---------------------------
>                 Key: JSPWIKI-485
>                 URL:
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
> In the previous version of jspwiki we were using (2.2.33) & signs in page titles
were automatically converted to amp, which lead to unwanted page titles. We are pleased to
notice that & signs are now accepted in page titles.
> We have however noticed that & signs in notes (for the page history) continue to
be replaced by &amp. Other characters such as < > and quotes are also replaced.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message