Bug 865458 - Generated task form validation functions need to be rewritten in order to use unicode characters
Generated task form validation functions need to be rewritten in order to use...
Status: VERIFIED
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: jBPM 5 (Show other bugs)
BRMS 5.3.1
Unspecified Unspecified
unspecified Severity low
: ER4
: BRMS 5.3.1 GA
Assigned To: Tihomir Surdilovic
Marek Baluch
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-11 09:36 EDT by Jiri Svitak
Modified: 2015-06-01 21:39 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was not previously possible to us unicode characters in String fields in generated task forms due to incorrect validation errors occurring. This has been resolved by adding support for utf-8 in the validation functions. User can enter utf-8 characters in task forms and do not see false validation errors.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Enhancement
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Svitak 2012-10-11 09:36:49 EDT
Generated task forms do not allow to use unicode characters in String fields. User has to rewrite javascript validating methods manually. In particular this method uses only simple regular expression:

	function isAlphanumeric(elem){
		var alphaExp = /^[a-zA-Z0-9\_ .-@]+$/;
		if(elem.value.match(alphaExp)){
			return true;
		} else {
			return false;
		}
	}

Some validation should be there to prevent cross site scripting attack, but the user should not be limited only to English alphabet, for example the string
"příliš žluťoučký kůň úpěl ďábelské ódy"
should be possible to enter without additional javascript code modification.
Comment 1 Tihomir Surdilovic 2012-10-12 11:25:10 EDT
Great catch - since we use regex built into JS for this, I cannot write an expression that includes unicode characters, so let me know what you would like to do:

1) Remove default error checking in generated forms (easy)
2) Start using a library like http://xregexp.com/plugins/ for example which would allow us to do what you are asking, however would introduce more problems because forms should be stand-alone, and with this we would depend on either hard-coding the library code into the form, or making it available somewhere on the net which is not always easy to do.

Let me know if 1) or 2) would work for you or if you have any other ideas.

Thanks.
Comment 2 Jiri Svitak 2012-10-12 11:49:49 EDT
For me the simplest solution would be to rewrite current javascript functions to be less limiting in validation. That means they won't control each alphabet character, but they just won't allow to enter dangerous characters like <, >, ' and perhaps more, which create an attacking potential.

What do you think?
Comment 3 Tihomir Surdilovic 2012-10-12 12:34:05 EDT
That is better approach. Will do. I don't think we should include any preventions of XSS because if we miss anything users can come back at us :) That should be completely user-driven, is that OK?
Comment 4 Tihomir Surdilovic 2012-10-15 12:31:44 EDT
Added support for UTF-8 in regex expressions..your test case should validate without problems now. Checked into master.Raise blocker flag if this is for 5.3.1.
Comment 5 Tihomir Surdilovic 2012-10-17 10:56:07 EDT
Fixed in 2.3.x Designer branch.
Comment 6 Jiri Svitak 2012-11-12 09:44:50 EST
Verified in BRMS 5.3.1 ER4.

Note You need to log in before you can comment on or make changes to this bug.