incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "brushed (JIRA)" <>
Subject [jira] [Reopened] (JSPWIKI-712) Entities in ChangeNote should be decoded when "keep editing"
Date Sun, 20 Jan 2013 14:26:12 GMT


brushed reopened JSPWIKI-712:


The current fix solves the issue only partly.
Note that this issue also occurs on the 'author' and 'link' fields.

The issue is caused by multiple invocations of TextUtil.replaceEntities();  
once in the top-level Edit.jsp;  once in the template plan.jsp  and once more in the template
This is because <c:out> (used in the template jsp's) by default converts the HTML special
characters to their corresponding character entity codes.

Current code:
Edit:jsp  / Comment.jsp
{code}String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" )

{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"
value="<c:out value='${changenote}'/>"/></td>

{code}    <input type="hidden" name="author" value="<c:out value='${author}' />"
    <input type="hidden" name="link" value="<c:out value='${link}' />" />
    <input type="hidden" name="remember" value="<c:out value='${remember}' />" />
    <input type="hidden" name="changenote" value="<c:out value='${changenote}' />"

I'd prefer that the fix would done on the template jsp's, keeping the top-level jsp's unchanged.
The top-level JSP's ensure that content which need to be escaped is properly formatted. The
template jsp merely display that content.   
This way, also the top-level Comment.jsp don't need to be changed.

Proposed fixes:
{code}    <input type="hidden" name="author" value="${author}" />
    <input type="hidden" name="link" value="${link}" />
    <input type="hidden" name="remember" value="${remember}" />
    <input type="hidden" name="changenote" value="${changenote}" />

{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"
value="<c:out value='${changenote}'/>"/></td>
<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"

{code}<input type="text" name="author" id="authorname" value="<c:out value='${}'
/>" />
{code}<input type="text" name="author" id="authorname" value="${author}" />

{code}<input type="text" name="link" id="link" size="24" value="<c:out value='${}'
/>" />

{code}<input type="text" name="link" id="link" size="24" value="${link}" />

> Entities in ChangeNote should be decoded when "keep editing"
> ------------------------------------------------------------
>                 Key: JSPWIKI-712
>                 URL:
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Default template
>    Affects Versions: 2.8.4, 2.9
>         Environment: Windows XP, Tomcat 7.0
>            Reporter: Vigneshwaran Raveendran
>            Assignee: brushed
>            Priority: Minor
>              Labels: fix, javascript
>             Fix For: 2.9.1
>         Attachments: JSPWIKI-712.patch
> Steps to reproduce the bug:-
> 1. Go here:
> 2. Type in changenote: Testing "quotes" & ampersand
> 3. Click preview
> 4. Click Keep Editing
> 5. The changenote looks like this: Testing &amp;quot;quotes&amp;quot; &amp;amp;
> Now the user has to remove it and type (Testing "quotes" & ampersand) again before
saving. If the user didn't notice it, then the comment will be saved as "Testing &amp;quot;quotes&amp;quot;
&amp;amp; ampersand" in the history.
> =================================================
> I know that entities need to be encoded for security reasons but this is a Bug.
> When "keep editing" button is clicked, the comment should appear in decoded format. For
that, there should be a javascript that execute "after" the page is loaded. No need to change
any of the TextUtil.replaceEntities() methods.
> =================================================
> This is how I fixed it in my pc:
> 1. Added the following script to commonheader.jsp (or prettify.js)
> <script type="text/javascript">
> function decodeChangeNote() {
> document.getElementById("changenote").value = 
>   document.getElementById("changenote").value
>     .replace(/&amp;amp;/g,"&")
>     .replace(/&amp;lt;/g,"<")
>     .replace(/&amp;gt;/g,">")
>     .replace(/&amp;quot;/g,"\"");
> }
> </script>
> 2. Changed <body> tag in EditTemplate.jsp to call this js function on load.
> <body onload="decodeChangeNote()">
> ====================================================
> Now JSPWiki works fine for me. Polish this fix if needed and commit it. Please correct
me if I'm wrong.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message