Bug 724481 (BRMS-426) - Atom feeds need to escape XML special characters
Summary: Atom feeds need to escape XML special characters
Keywords:
Status: CLOSED NEXTRELEASE
Alias: BRMS-426
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: BRM (Guvnor)
Version: 5.1.0.ER3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: 5.1.0.ER4
Assignee: Tihomir Surdilovic
QA Contact:
URL: http://jira.jboss.org/jira/browse/BRM...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-03 20:55 UTC by Jiri Locker
Modified: 2010-11-24 09:24 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-24 09:18:42 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 724437 0 high CLOSED Discussion Atom feed is not a valid XML 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 724446 0 medium CLOSED Discussion comment line breaks are ignored 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 724497 0 urgent CLOSED Error displaying feed if it contains non ISO 8859-1 characters 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 724506 0 low CLOSED Convert line breaks from asset comments and description to <br/> elements when building the Atom feed 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker BRMS-426 0 None None None Never

Internal Links: 724437 724446 724497 724506

Description Jiri Locker 2010-11-03 20:55:38 UTC
securitylevel_name: Public

For examaple posting a comment that looks like "evil comment</feed>" into an asset's discussion breaks the feed XML document.
Something similar to http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html#escapeXml%28java.lang.String%29 will be necessary to apply to the user input before building the feed XML.

Comment 1 Jiri Locker 2010-11-03 20:56:42 UTC
Link: Added: This issue depends BRMS-382


Comment 2 Jiri Locker 2010-11-03 20:58:05 UTC
Link: Removed: This issue depends BRMS-382 


Comment 3 Jiri Locker 2010-11-03 20:58:31 UTC
Link: Added: This issue is related to BRMS-382


Comment 4 Jiri Locker 2010-11-04 21:01:15 UTC
Link: Added: This issue is related to BRMS-391


Comment 5 Jiri Locker 2010-11-04 21:19:15 UTC
Please also make sure that special characters are encoded when submitting a comment. User might want to describe conditions with expressions using <, >, &, etc. For instance, "The condition should be a<b and b>c." which doesn't work now because the substring "<b and b>" is handled as an HTML tag.

Comment 6 Tihomir Surdilovic 2010-11-05 20:56:31 UTC
Link: Added: This issue depends GUVNOR-1087


Comment 7 Jiri Locker 2010-11-09 14:23:28 UTC
Link: Added: This issue is a dependency of JBQA-3766


Comment 8 Jiri Locker 2010-11-16 17:51:55 UTC
Link: Added: This issue is related to BRMS-443


Comment 9 Jiri Locker 2010-11-24 09:24:26 UTC
Link: Added: This issue is related to BRMS-452



Note You need to log in before you can comment on or make changes to this bug.