| Summary: | Able to name portlet with non-valid display name | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Portal Platform 5 | Reporter: | Viliam Rockai <vrockai> |
| Component: | unspecified | Assignee: | mark yarborough <myarboro> |
| Status: | VERIFIED --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.2.0.GA | CC: | epp-bugs, theute |
| Target Milestone: | --- | ||
| Target Release: | 5.2.x | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://jira.jboss.org/jira/browse/JBEPP-1443 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
CAUSE: Entered text becomes part of portal page HTML as-is, including special characters like angle brackets
CONSEQUENCE: Entered text can break a portal page
FIX: Prevent entry of angle brackets using NoHTMLTagValidator
RESULT: Text that could break a portal page can't be entered any more.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Labels: Added: EPP_5_2_1_Candidate Labels: Removed: EPP_5_2_1_Candidate
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
CAUSE: Entered text becomes part of portal page HTML as-is, including special characters like angle brackets
CONSEQUENCE: Entered text can break a portal page
FIX: Prevent entry of angle brackets using NoHTMLTagValidator
RESULT: Text that could break a portal page can't be entered any more.
|
project_key: JBEPP go to application registry in the Web category, click (+) to add new portlet choose any portlet and to display name put <script>alert('a');</script> and save for any page, click page edit and add <script>alert('a');</script> portlet to page when you go to edit mode and change something for the portlet, you cannot save, because portlet has non-valid name and has to be renamed