Bug #8912

Source text provided for context in translation edit template does not escape HTML

Added by Dan Gillean over 6 years ago. Updated almost 6 years ago.

Status:NewStart date:09/03/2015
Priority:MediumDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Google Code Legacy ID: Tested version:2.2
Sponsored:No Requires documentation:

Description

  • Navigate to a description and enter edit mode
  • In one of the text boxes (e.g. scope and content), add some HTML, eg:
    This is a link to <a href="http://www.artefactual.com>Artefactual</a> Systems.
    
  • Save the description - confirm that the HTML is escaped, as per #7647
  • Flip the interface to another language, e.g. French
  • Enter edit mode, and navigate to the same text box
Resulting error
  • HTML is not escaped inside the source text provided for context above the French text box
Expected result
  • HTML content is escaped everywhere in the edit and view pages (except for static pages)

First reported in the User Forum: https://groups.google.com/d/msg/ica-atom-users/Itr6jjDWi9o/Mw76PL0GDgAJ
Confirmed in stable/2.2.x

source-text-unescaped.png (16.3 KB) Dan Gillean, 09/03/2015 07:24 PM


Related issues

Related to Access to Memory (AtoM) - Feature #7647: Escape HTML entities "<", ">", '"', "&" to prevent XSS ex... Verified 12/03/2014

History

#1 Updated by Dan Gillean over 6 years ago

  • Related to Feature #7647: Escape HTML entities "<", ">", '"', "&" to prevent XSS exploits added

#2 Updated by Dan Gillean over 6 years ago

Adding screenshot for context.

#3 Updated by Jesús García Crespo almost 6 years ago

  • Assignee deleted (Jesús García Crespo)

Also available in: Atom PDF