Continuum

HTML encode the build output

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.1-beta-1
  • Component/s: Web interface
  • Labels:
    None
  • Complexity:
    Novice
  • Number of attachments :
    2

Description

Currently the output is included verbatim, which means that the browser will try to parse any XML that's in the build output. See the attached snapshot versus the actual output:

– SNIP –
<featureMember typeName="View of GAB Adresse">
<Feature identifier="swrefVrecordVdatasetZaddressVcollectionZne_adresseVkeysZ158428" typeName="View of GAB Adresse">
<property type="string" typeName="thc_world_name">Norge</property>
<property type="integer" typeName="kadranr">158428</property>
<property type="integer" typeName="kkomnr">219</property>
<property type="string" typeName="kommunenavn">Bærum</property>
<property type="string" typeName="kgatanvn">KYRRES VEI</property>
<property type="integer" typeName="kadrnr">19</property>
<property type="string" typeName="kadrunr">C</property>
<property type="integer" typeName="kadruunr"/>
<property type="string" typeName="kposnr">1369</property>
<property type="string" typeName="postnavn">STABEKK</property>
<geometricProperty typeName="posisjon">
<Point ID="swrefVgeometryVdatasetZaddressVcollectionZne_adresseVfieldZposisjonVlocalZTrueVkeysZ536885020X662636086X690767" swldy:world="swrefVworldVdatasetZaddressVuniverseZ2VworldZ0">
<coordinates>-409769860,-357023026 </coordinates>
</Point>
</geometricProperty>
<geometricProperty typeName="annotation">
<Annotation ID="swrefVgeometryVdatasetZaddressVcollectionZne_adresseVfieldZannotationVlocalZTrueVkeysZ536885020X662636069X690770" swldy:world="swrefVworldVdatasetZaddressVuniverseZ2VworldZ0">
<coordinates>-409769860,-357022026 </coordinates>
<string>19C</string>
<orientation>0.000000</orientation>
<justification>22</justification>
<font_orientation/>
<height>1.000000</height>
</Annotation>
</geometricProperty>
<swldy:DisplayContextProperty typeName="display_context">
<Feature typeName="display_context"/>
</swldy:DisplayContextProperty>
<swldy:associatedDocumentsProperty typeName="associatedDocuments">
<Document/>
– SNIP –

Issue Links

This issue is duplicated by:
CONTINUUM-679 Insecure html in build output leads to bad html rendering - could be used for malicious cross-site scripting. Critical Closed
CONTINUUM-817 The generated output in the Working Copy page displays the wrong content Major Closed
CONTINUUM-673 html is not escaped properly in build output Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jorg Heymans added a comment -

Used commons-lang for easy html output escaping

Show
Jorg Heymans added a comment - Used commons-lang for easy html output escaping
Hide
Permalink
Jorg Heymans added a comment -

has this patch been reviewed yet ?

Show
Jorg Heymans added a comment - has this patch been reviewed yet ?
Hide
Permalink
Emmanuel Venisse added a comment -

this patch won't be reviewed because we'll change all the web part in 1.1 with webwork.

Show
Emmanuel Venisse added a comment - this patch won't be reviewed because we'll change all the web part in 1.1 with webwork.
Hide
Permalink
Lee Meador added a comment -

I haven't thought through the attack but this seems to create a security issue when the text in the build output gets interpreted by the browser. If nothing else it could make it real hard to tell what error caused a build to fail.

Show
Lee Meador added a comment - I haven't thought through the attack but this seems to create a security issue when the text in the build output gets interpreted by the browser. If nothing else it could make it real hard to tell what error caused a build to fail.

People

Vote (2)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.