Hide Forgot
Affects: Release Notes project_key: JBEPP Source of gadget is escaped in editor and thus can't be saved -> "This source is invalid gadget specification." To reproduce: - go to App.registry -> Gadget 1) - click Create a new gadget -> source is escaped with < > " and can't be saved (screen 1) (SampleGadget.groovy contains valid html source of gadget) 2) - edit any existing gadget -> source is escaped as well (screen 2) It's possible to save gadget only after changing all special characters. It seems that escaping happens when source is loaded in editor.
Attachment: Added: gadget-escaped.png Attachment: Added: gadget-escaped2.png
Link: Added: This issue relates to JBQA-4899
This issue also affects the WCM extension as it relies on groovy templates for content presentation and editing.
Attachment: Added: editing-wcm-templates.png
Link: Added: This issue relates to GTNPORTAL-1967
Probably caused by: GTNPORTAL-1955
Link: Added: This issue relates to GTNPORTAL-1955
I investigate more on this and it seem like it is encoded twice. IMHO right place where to encode value is when rendering as this is UI component responsibility. On the other hand, this component is used by many others, and some pass value encoded, some not. Eg: In UIGadgetEditor is this method and it encodes value, this cause double encoding: public void processRender(WebuiRequestContext context) throws Exception { UIFormTextAreaInput uiInputSource = getUIFormTextAreaInput(FIELD_SOURCE); UIFormStringInput uiInputName = getUIStringInput(FIELD_NAME); String encoded = StringEscapeUtils.escapeHtml(StringEscapeUtils.unescapeHtml(uiInputSource.getValue())); uiInputSource.setValue(encoded); if(this.isEdit()) { uiInputName.setEditable(false); } super.processRender(context); } There is probably more code like this, I thin the best is clean it up here. Unfortunately it is probably in SP in similar way too. If we disable encoding in UIFormTextAreaInput, it will fix double encoding, but enable XSS where it is not encoded.
Removing org.gatein.common.text.EntityEncoder
Link: Added: This issue is related to JBEPP-1028
Link: Added: This issue relates to JBEPP-997
Release Notes Docs Status: Added: Not Required
Release Notes Docs Status: Removed: Not Required Added: Needs More Info Release Notes Text: Added: This issue requires more information about how it was resolved if it requires a 5.1.1 Release Note.
Release Notes Text: Removed: This issue requires more information about how it was resolved if it requires a 5.1.1 Release Note. Added: Issue was a side effect of fix for JBEPP-997 (XSS vulnerability) which affected all textarea inputs. It caused the status when value in text area was encoded twice (thus can not be saved because invalid format). Change was done at related issue and content in gadget editor is now properly encoded. Affects: Added: [Release Notes]
Release Notes Text: Removed: Issue was a side effect of fix for JBEPP-997 (XSS vulnerability) which affected all textarea inputs. It caused the status when value in text area was encoded twice (thus can not be saved because invalid format). Change was done at related issue and content in gadget editor is now properly encoded. Added: A fix that was implemented to resolve an XSS vulnerabily, affected all textarea inputs and caused any gadget source code entered into the App Registry to be escaped with <> characters and rendered invalid to the portal. This prevented new gadgets being added to the portal as ell as preventing any changes being made to existing gadgets. The underlying issue was resolved in a fix for another bug and as a result this issue no longer presents.
Release Notes Docs Status: Removed: Needs More Info Added: Not Required
Link: Added: This issue is related to GTNPORTAL-2073