865458 – Generated task form validation functions need to be rewritten in order to use unicode characters

Bug 865458 - Generated task form validation functions need to be rewritten in order to use unicode characters

Summary: Generated task form validation functions need to be rewritten in order to use...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	JBoss Enterprise BRMS Platform 5
Classification:	JBoss
Component:	jBPM 5
Sub Component:
Version:	BRMS 5.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	ER4
Target Release:	BRMS 5.3.1 GA
Assignee:	Kris Verlaenen
QA Contact:	Marek Baluch
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-11 13:36 UTC by Jiri Svitak
Modified:	2025-02-10 03:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-02-10 03:20:56 UTC
Type:	Enhancement
Embargoed:

Attachments	(Terms of Use)

Description Jiri Svitak 2012-10-11 13:36:49 UTC

Generated task forms do not allow to use unicode characters in String fields. User has to rewrite javascript validating methods manually. In particular this method uses only simple regular expression:

	function isAlphanumeric(elem){
		var alphaExp = /^[a-zA-Z0-9\_ .-@]+$/;
		if(elem.value.match(alphaExp)){
			return true;
		} else {
			return false;
		}
	}

Some validation should be there to prevent cross site scripting attack, but the user should not be limited only to English alphabet, for example the string
"příliš žluťoučký kůň úpěl ďábelské ódy"
should be possible to enter without additional javascript code modification.

Comment 1 Tihomir Surdilovic 2012-10-12 15:25:10 UTC

Great catch - since we use regex built into JS for this, I cannot write an expression that includes unicode characters, so let me know what you would like to do:

1) Remove default error checking in generated forms (easy)
2) Start using a library like http://xregexp.com/plugins/ for example which would allow us to do what you are asking, however would introduce more problems because forms should be stand-alone, and with this we would depend on either hard-coding the library code into the form, or making it available somewhere on the net which is not always easy to do.

Let me know if 1) or 2) would work for you or if you have any other ideas.

Thanks.

Comment 2 Jiri Svitak 2012-10-12 15:49:49 UTC

For me the simplest solution would be to rewrite current javascript functions to be less limiting in validation. That means they won't control each alphabet character, but they just won't allow to enter dangerous characters like <, >, ' and perhaps more, which create an attacking potential.

What do you think?

Comment 3 Tihomir Surdilovic 2012-10-12 16:34:05 UTC

That is better approach. Will do. I don't think we should include any preventions of XSS because if we miss anything users can come back at us :) That should be completely user-driven, is that OK?

Comment 4 Tihomir Surdilovic 2012-10-15 16:31:44 UTC

Added support for UTF-8 in regex expressions..your test case should validate without problems now. Checked into master.Raise blocker flag if this is for 5.3.1.

Comment 5 Tihomir Surdilovic 2012-10-17 14:56:07 UTC

Fixed in 2.3.x Designer branch.

Comment 6 Jiri Svitak 2012-11-12 14:44:50 UTC

Verified in BRMS 5.3.1 ER4.

Comment 14 Red Hat Bugzilla 2025-02-10 03:20:56 UTC

This product has been discontinued or is no longer tracked in Red Hat Bugzilla.

Note You need to log in before you can comment on or make changes to this bug.