incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "brushed (JIRA)" <j...@apache.org>
Subject [jira] [Reopened] (JSPWIKI-712) Entities in ChangeNote should be decoded when "keep editing"
Date Sun, 20 Jan 2013 14:26:12 GMT

     [ https://issues.apache.org/jira/browse/JSPWIKI-712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

brushed reopened JSPWIKI-712:
-----------------------------



JSPWIKI-742

The current fix solves the issue only partly.
Note that this issue also occurs on the 'author' and 'link' fields.


The issue is caused by multiple invocations of TextUtil.replaceEntities();  
once in the top-level Edit.jsp;  once in the template plan.jsp  and once more in the template
preview.jsp.
This is because <c:out> (used in the template jsp's) by default converts the HTML special
characters to their corresponding character entity codes.

Current code:
Edit:jsp  / Comment.jsp
{code}String changenote = TextUtil.replaceEntities( findParam( pageContext, "changenote" )
);
{code} 

plain.jsp
{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"
value="<c:out value='${changenote}'/>"/></td>
{code} 

preview.jsp  
{code}    <input type="hidden" name="author" value="<c:out value='${author}' />"
/>
    <input type="hidden" name="link" value="<c:out value='${link}' />" />
    <input type="hidden" name="remember" value="<c:out value='${remember}' />" />
    <input type="hidden" name="changenote" value="<c:out value='${changenote}' />"
/>
{code} 

I'd prefer that the fix would done on the template jsp's, keeping the top-level jsp's unchanged.
  
The top-level JSP's ensure that content which need to be escaped is properly formatted. The
template jsp merely display that content.   
This way, also the top-level Comment.jsp don't need to be changed.

Proposed fixes:
preview.jsp:
{code}    <input type="hidden" name="author" value="${author}" />
    <input type="hidden" name="link" value="${link}" />
    <input type="hidden" name="remember" value="${remember}" />
    <input type="hidden" name="changenote" value="${changenote}" />
{code} 

plain.jsp:
replace  
{code}<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"
value="<c:out value='${changenote}'/>"/></td>
{code} 
by 
{code} 
<td><input type="text" name="changenote" id="changenote" size="80" maxlength="80"
value="${changenote}"/></td>
{code} 

replace
{code}<input type="text" name="author" id="authorname" value="<c:out value='${sessionScope.author}'
/>" />
{code} 
by
{code}<input type="text" name="author" id="authorname" value="${author}" />
{code} 

replace
{code}<input type="text" name="link" id="link" size="24" value="<c:out value='${sessionScope.link}'
/>" />
{code} 

by
{code}<input type="text" name="link" id="link" size="24" value="${link}" />
{code} 



                
> Entities in ChangeNote should be decoded when "keep editing"
> ------------------------------------------------------------
>
>                 Key: JSPWIKI-712
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-712
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Default template
>    Affects Versions: 2.8.4, 2.9
>         Environment: Windows XP, Tomcat 7.0
>            Reporter: Vigneshwaran Raveendran
>            Assignee: brushed
>            Priority: Minor
>              Labels: fix, javascript
>             Fix For: 2.9.1
>
>         Attachments: JSPWIKI-712.patch
>
>
> Steps to reproduce the bug:-
> 1. Go here: http://doc.jspwiki.org/2.4/Edit.jsp?page=WindowsInstall
> 2. Type in changenote: Testing "quotes" & ampersand
> 3. Click preview
> 4. Click Keep Editing
> 5. The changenote looks like this: Testing &amp;quot;quotes&amp;quot; &amp;amp;
ampersand
> Now the user has to remove it and type (Testing "quotes" & ampersand) again before
saving. If the user didn't notice it, then the comment will be saved as "Testing &amp;quot;quotes&amp;quot;
&amp;amp; ampersand" in the history.
> =================================================
> I know that entities need to be encoded for security reasons but this is a Bug.
> When "keep editing" button is clicked, the comment should appear in decoded format. For
that, there should be a javascript that execute "after" the page is loaded. No need to change
any of the TextUtil.replaceEntities() methods.
> =================================================
> This is how I fixed it in my pc:
> 1. Added the following script to commonheader.jsp (or prettify.js)
> <script type="text/javascript">
> function decodeChangeNote() {
> document.getElementById("changenote").value = 
>   document.getElementById("changenote").value
>     .replace(/&amp;amp;/g,"&")
>     .replace(/&amp;lt;/g,"<")
>     .replace(/&amp;gt;/g,">")
>     .replace(/&amp;quot;/g,"\"");
> }
> </script>
> 2. Changed <body> tag in EditTemplate.jsp to call this js function on load.
> <body onload="decodeChangeNote()">
> ====================================================
> Now JSPWiki works fine for me. Polish this fix if needed and commit it. Please correct
me if I'm wrong.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message