Bug #8912
Source text provided for context in translation edit template does not escape HTML
| Status: | New | Start date: | 09/03/2015 | |
|---|---|---|---|---|
| Priority: | Medium | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Security | |||
| Target version: | - | |||
| Google Code Legacy ID: | Tested version: | 2.2 | ||
| Sponsored: | No | Requires documentation: |
Description
- Navigate to a description and enter edit mode
- In one of the text boxes (e.g. scope and content), add some HTML, eg:
This is a link to <a href="http://www.artefactual.com>Artefactual</a> Systems.
- Save the description - confirm that the HTML is escaped, as per #7647
- Flip the interface to another language, e.g. French
- Enter edit mode, and navigate to the same text box
- HTML is not escaped inside the source text provided for context above the French text box
- HTML content is escaped everywhere in the edit and view pages (except for static pages)
First reported in the User Forum: https://groups.google.com/d/msg/ica-atom-users/Itr6jjDWi9o/Mw76PL0GDgAJ
Confirmed in stable/2.2.x
Related issues
History
#1 Updated by Dan Gillean over 6 years ago
- Related to Feature #7647: Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits added
#2 Updated by Dan Gillean over 6 years ago
- File source-text-unescaped.png added
Adding screenshot for context.
#3 Updated by Jesús García Crespo almost 6 years ago
- Assignee deleted (
Jesús García Crespo)