project_key: JBEPP go to site menu click on edit navigation for classic portal click on edit node page for "sitemap" node click on view page properties put "Site Map<script>alert('a');</script>" into the page title save if you try now to edit node "sitemap" nothing will happen
I can't reproduce on EPP 5.2 ? Viliam, any better description on how to reproduce ?
i was just able to reproduce again. let me rewrite the steps more detailed: - login as root - go to the "Site" menu - click on "Edit Navigation" for "classic" portal - on the "SiteMap" node right click and select "Edit Node's Page" from the menu - in the "Page Editor" window on the right, click on "View page properties" - put "Site Map<script>alert('a');</script>" into the "Page title" input - save if you try now to edit node "SiteMap" in "Edit Navigation" mode in "Site" asministrator page, nothing will happen. This issue causes even more troubles, like error with clicking on "View page properties" for other node pages.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: CAUSE: Entered text becomes part of portal page HTML as-is, including special characters like angle brackets CONSEQUENCE: Entered text can break a portal page FIX: Prevent entry of angle brackets using NoHTMLTagValidator RESULT: Text that could break a portal page can't be entered any more. If angle brackets are desired in the output, character references can be used - < and >
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -CAUSE: Entered text becomes part of portal page HTML as-is, including special characters like angle brackets +An issue with field value validation in page title fields caused angle brackets to be added verbatim to the page title. These verbatim characters resulted in portal page errors because the angle brackets were not substituted with HTML character references when the form was saved. The fix introduces NoHTMLTagValidator logic in page title fields, which prevents verbatim angle brackets from being entered into the field. Angle brackets can be included in titles, providing the correct HTML character references are declared: &lt; and &gt;-CONSEQUENCE: Entered text can break a portal page -FIX: Prevent entry of angle brackets using NoHTMLTagValidator -RESULT: Text that could break a portal page can't be entered any more. If angle brackets are desired in the output, character references can be used - < and >