[Yanel-dev] [Bug 8549] New: Yanel should allow only plain text when adding comments
bugzilla at wyona.com
bugzilla at wyona.com
Mon Sep 19 00:11:48 CEST 2011
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=8549
Summary: Yanel should allow only plain text when adding comments
Product: Yanel
Version: unspecified
Platform: All
URL: http://www.yanel.org/usecases/add-
comment.html?path=/en/about.html
OS/Version: All
Status: NEW
Severity: normal (C)
Priority: P1
Component: Security
AssignedTo: michael.wechner at wyona.org
ReportedBy: michael.wechner at wyona.org
QAContact: yanel-development at wyona.com
People might try to enter semi-structured text, including javascript, e.g.
----
My comment includes some javascript injection:
<script><alert("hoi")</a></script>
<h1>Hello</h1>
----
Yanel should allow only plain text. Currently one receives a transformation
error when entering semi-structured text as above
Stacktrace
java.lang.Exception: Transformation error:
at
org.wyona.yanel.impl.resources.BasicXMLResource.getXMLView(BasicXMLResource.java:289)
at
org.wyona.yanel.impl.resources.BasicXMLResource.getView(BasicXMLResource.java:196)
at
org.wyona.yanel.servlet.YanelServlet.getContent(YanelServlet.java:585)
at
org.wyona.yanel.servlet.YanelServlet.doGet(YanelServlet.java:415)
at
org.wyona.yanel.servlet.YanelServlet.service(YanelServlet.java:319)
which is not very nice.
Instead one should receive a warning that only plain text is allowed and Yanel
should only save plain text and drop all the rest.
All fields need to be validated accordingly inside
src/resources/comment/src/java/org/wyona/yanel/impl/resources/comment/CommentResource.java
and the test at
src/realms/yanel-website/src/test/canoo/tests/add-comment.xml
adapted accordingly
--
Configure bugmail: http://bugzilla.wyona.com/cgi-bin/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Yanel-development
mailing list