roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Johnson (JIRA)" <nore...@atlassian.com>
Subject [Roller-JIRA] Commented: (ROL-1216) HTML allowed in the Name field of createWebsite.do causes issues. If an image tag is inserted, the image appears on main page and in the blogger directory.
Date Thu, 26 Jul 2007 21:08:31 GMT

    [ http://opensource.atlassian.com/projects/roller/browse/ROL-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_13933
] 

David Johnson commented on ROL-1216:
------------------------------------

I don't believe there is any reason to prevent people from entering angle brackets and HTML
or XML tags in a weblog name, those are valid plain text things. 

At display time, we must treat the name as plain text, i.e. escape it so that any tags it
contains are not interpreted as HTML. We do that consistently for our RSS/Atom feeds and we
should also do it in the Roller themes.

So, the way to fix this problem in your blogger directory is to use the $utils.escapeHTML()
method to escape any weblog name that you display.



> HTML allowed in the Name field of createWebsite.do causes issues. If an image tag is
inserted, the image appears on main page and in the blogger directory.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ROL-1216
>                 URL: http://opensource.atlassian.com/projects/roller/browse/ROL-1216
>             Project: Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 3.0
>         Environment: All
>            Reporter: Rob Wilson
>            Assignee: Allen Gilliland
>             Fix For: 4.0
>
>
> Disallow html in the Name field of createWebsite.do page. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/roller/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message