incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <>
Subject [jira] Commented: (JSPWIKI-505) No more <br /> separators in wiki system variables
Date Mon, 16 Feb 2009 13:45:03 GMT


Janne Jalkanen commented on JSPWIKI-505:

Variable output is escaped because of security concerns.  It is less userfriendly, yes, but
unfortunately security often is.

In fact, I think that most of the variables are also a security risk (they give information
to the attacker), so we should remove variables like $pageproviderdescription and so on.

No plans to change this behaviour - not escaping the line breaks would result in a fairly
massive security hole just to make another security hole look nicer.  Not a good tradeoff,

> No more <br /> separators in wiki system variables
> --------------------------------------------------
>                 Key: JSPWIKI-505
>                 URL:
>             Project: JSPWiki
>          Issue Type: Bug
>    Affects Versions: 2.8.1
>            Reporter: Bruno Peeters
>            Priority: Minor
> We have noticed that information on the Systeminfo page (
is less userfriendly presented compared to the previous version of jspwiki we are using (2.2.33).
 All information items are put on one single line, which makes it harder to get a clear view
on the information presented, eg the available interwiki links. 
> Why were the <br /> separators removed from the variables ? 
> Would it be possible to add an option to indicate whether the information would be presented
with or without breaks ?
> Concerned wiki variables
> Current Page Provider          {$pageproviderdescription}
> Current Attachment Provider    {$attachmentProviderDescription}
> Available InterWiki links      {$interwikilinks}
> Inlined images are             {$inlinedimages}

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message