Bug 865458 – Generated task form validation functions need to be rewritten in order to use unicode characters

Bug 865458 - Generated task form validation functions need to be rewritten in order to use unicode characters

Summary:	Generated task form validation functions need to be rewritten in order to use...

Status:	VERIFIED

Aliases:	None

Product:	JBoss Enterprise BRMS Platform 5
Classification:	JBoss
Component:	jBPM 5 (Show other bugs)
Sub Component:
Version:	BRMS 5.3.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity low
Target Milestone:	ER4
Target Release:	BRMS 5.3.1 GA
Assigned To:	Tihomir Surdilovic
QA Contact:	Marek Baluch
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-10-11 09:36 EDT by Jiri Svitak
Modified:	2015-06-01 21:39 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was not previously possible to us unicode characters in String fields in generated task forms due to incorrect validation errors occurring. This has been resolved by adding support for utf-8 in the validation functions. User can enter utf-8 characters in task forms and do not see false validation errors.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Enhancement
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jiri Svitak 2012-10-11 09:36:49 EDT

Generated task forms do not allow to use unicode characters in String fields. User has to rewrite javascript validating methods manually. In particular this method uses only simple regular expression:

	function isAlphanumeric(elem){
		var alphaExp = /^[a-zA-Z0-9\_ .-@]+$/;
		if(elem.value.match(alphaExp)){
			return true;
		} else {
			return false;
		}
	}

Some validation should be there to prevent cross site scripting attack, but the user should not be limited only to English alphabet, for example the string
"příliš žluťoučký kůň úpěl ďábelské ódy"
should be possible to enter without additional javascript code modification.

Comment 1 Tihomir Surdilovic 2012-10-12 11:25:10 EDT

Great catch - since we use regex built into JS for this, I cannot write an expression that includes unicode characters, so let me know what you would like to do:

1) Remove default error checking in generated forms (easy)
2) Start using a library like http://xregexp.com/plugins/ for example which would allow us to do what you are asking, however would introduce more problems because forms should be stand-alone, and with this we would depend on either hard-coding the library code into the form, or making it available somewhere on the net which is not always easy to do.

Let me know if 1) or 2) would work for you or if you have any other ideas.

Thanks.

Comment 2 Jiri Svitak 2012-10-12 11:49:49 EDT

For me the simplest solution would be to rewrite current javascript functions to be less limiting in validation. That means they won't control each alphabet character, but they just won't allow to enter dangerous characters like <, >, ' and perhaps more, which create an attacking potential.

What do you think?

Comment 3 Tihomir Surdilovic 2012-10-12 12:34:05 EDT

That is better approach. Will do. I don't think we should include any preventions of XSS because if we miss anything users can come back at us :) That should be completely user-driven, is that OK?

Comment 4 Tihomir Surdilovic 2012-10-15 12:31:44 EDT

Added support for UTF-8 in regex expressions..your test case should validate without problems now. Checked into master.Raise blocker flag if this is for 5.3.1.

Comment 5 Tihomir Surdilovic 2012-10-17 10:56:07 EDT

Fixed in 2.3.x Designer branch.

Comment 6 Jiri Svitak 2012-11-12 09:44:50 EST

Verified in BRMS 5.3.1 ER4.

Note You need to log in before you can comment on or make changes to this bug.