Jira bugtracking tool for Jahia project

Jens Wilke (JIRA | 1 Apr 2008 14:48

[JIRA] Created: (JAHIA-2759) HTML special characters (< nad &) not escaped in page title

HTML special characters (< nad &) not escaped in page title
-----------------------------------------------------------

                 Key: JAHIA-2759
                 URL: http://www.jahia.org/jira/browse/JAHIA-2759
             Project: Jahia Content Management Server
          Issue Type: Bug
    Affects Versions: 5.0 SP3
            Reporter: Jens Wilke

The method JahiaPage.getTitle() converts a text to html by calling TextHtml.text2html().
Special chars in html, thats < and &, are left as-is where umlaut characters are converted to 
HTML entities.

I think this is a bug, all text supplied by the user should be displayed as entered, no
HTML input should be allowed.

OTOH an ampersand in a page title usually displays as expected right now, since the 
browser parser is tolerant,  but  the page code is non XML-conform because the 
ampersand is not an XML entity.

BTW: We don't need to escape umlauts at all, since the output charset is UTF-8.

--

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://www.jahia.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

(Continue reading)

Sergiy Shyrkov (JIRA | 26 May 2008 14:59

[JIRA] Issue Comment Edited: (JAHIA-2759) HTML special characters (< nad &) not escaped in page title


    [
http://www.jahia.org/jira/browse/JAHIA-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=30153#action_30153
] 

shyrkov edited comment on JAHIA-2759 at 5/26/08 2:59 PM:
----------------------------------------------------------------

Hello Jens,

we are aware of this issue and there was an internal discussion (JAHIA-2206) about character escaping. As
this, for sure, will have side effects (especially for existing template sets, which directly or
indirectly rely on this feature) the issue is still open.

For the time being there is another method to get the raw value (not escaped) of the page title: JahiaPage.getRawTitle().
You can escape it on your own in the template, e.g. using JSP 2.0 expression language and JSTL:

${fn:escapeXml(currentPage.jahiaPage.rawTitle)}

or using API version and JSTL c:out tag:

<c:out value="<%= myPage.getRawTitle() %>"/>

Kind regards
Sergiy

      was (Author: shyrkov):
    Hello Jens,

we are aware of this issue and there was an internal discussion (JAHIA-2759) about character escaping. As

(Continue reading)

Sergiy Shyrkov (JIRA | 23 May 2008 15:16

[JIRA] Resolved: (JAHIA-2759) HTML special characters (< nad &) not escaped in page title


     [
http://www.jahia.org/jira/browse/JAHIA-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergiy Shyrkov resolved JAHIA-2759.
-----------------------------------

    Resolution: Answered

> HTML special characters (< nad &) not escaped in page title
> -----------------------------------------------------------
>
>                 Key: JAHIA-2759
>                 URL: http://www.jahia.org/jira/browse/JAHIA-2759
>             Project: Jahia Content Management Server
>          Issue Type: Bug
>    Affects Versions: 5.0 SP3
>            Reporter: Jens Wilke
>            Assignee: Sergiy Shyrkov
>
> The method JahiaPage.getTitle() converts a text to html by calling TextHtml.text2html().
> Special chars in html, thats < and &, are left as-is where umlaut characters are converted to 
> HTML entities.
> I think this is a bug, all text supplied by the user should be displayed as entered, no
> HTML input should be allowed.
> OTOH an ampersand in a page title usually displays as expected right now, since the 
> browser parser is tolerant,  but  the page code is non XML-conform because the 
> ampersand is not an XML entity.
> BTW: We don't need to escape umlauts at all, since the output charset is UTF-8.

(Continue reading)

Sergiy Shyrkov (JIRA | 23 May 2008 15:16

[JIRA] Assigned: (JAHIA-2759) HTML special characters (< nad &) not escaped in page title


     [
http://www.jahia.org/jira/browse/JAHIA-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergiy Shyrkov reassigned JAHIA-2759:
-------------------------------------

    Assignee: Sergiy Shyrkov

> HTML special characters (< nad &) not escaped in page title
> -----------------------------------------------------------
>
>                 Key: JAHIA-2759
>                 URL: http://www.jahia.org/jira/browse/JAHIA-2759
>             Project: Jahia Content Management Server
>          Issue Type: Bug
>    Affects Versions: 5.0 SP3
>            Reporter: Jens Wilke
>            Assignee: Sergiy Shyrkov
>
> The method JahiaPage.getTitle() converts a text to html by calling TextHtml.text2html().
> Special chars in html, thats < and &, are left as-is where umlaut characters are converted to 
> HTML entities.
> I think this is a bug, all text supplied by the user should be displayed as entered, no
> HTML input should be allowed.
> OTOH an ampersand in a page title usually displays as expected right now, since the 
> browser parser is tolerant,  but  the page code is non XML-conform because the 
> ampersand is not an XML entity.
> BTW: We don't need to escape umlauts at all, since the output charset is UTF-8.

(Continue reading)

Sergiy Shyrkov (JIRA | 23 May 2008 15:15

[JIRA] Commented: (JAHIA-2759) HTML special characters (< nad &) not escaped in page title


    [
http://www.jahia.org/jira/browse/JAHIA-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=30153#action_30153
] 

Sergiy Shyrkov commented on JAHIA-2759:
---------------------------------------

Hello Jens,

we are aware of this issue and there was an internal discussion (JAHIA-2759) about character escaping. As
this, for sure, will have side effects (especially for existing template sets, which directly or
indirectly rely on this feature) the issue is still open.

For the time being there is another method to get the raw value (not escaped) of the page title: JahiaPage.getRawTitle().
You can escape it on your own in the template, e.g. using JSP 2.0 expression language and JSTL:

${fn:escapeXml(currentPage.jahiaPage.rawTitle)}

or using API version and JSTL c:out tag:

<c:out value="<%= myPage.getRawTitle() %>"/>

Kind regards
Sergiy

> HTML special characters (< nad &) not escaped in page title
> -----------------------------------------------------------
>
>                 Key: JAHIA-2759

(Continue reading)

Return

Return to gmane.comp.cms.jahia.bugs.

Project Web Page

Jira bugtracking tool for Jahia project

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane