[#JRA-9090] Wiki Renderer does not HTML encode contents of unknown macros

JIRA

Wiki Renderer does not HTML encode contents of unknown macros

Created: 18/Jan/06 11:03 PM Updated: 30/Jul/06 07:37 PM

Component/s:

Web interface

Affects Version/s:

None

Fix Version/s:

3.6.3

Time Tracking:

Not Specified

Issue Links:

Duplicate

This issue is duplicated by:

~~JRA-10560~~ XML tag not escaped in comment

Reference

This issue relates to:

TST-6152 test "special" characters

~~JRA-9080~~ Navigator results crap out on j.a.com

~~JRA-10487~~ Upgrade to latest Atlassian Renderer

~~JRA-6372~~ showing custom fields in email notifications

Participants:	=Neal Applebaum, Anton Mazkovoi [Atlassian], Chris Mountford [Atlassian], Keith Brophy and Nick Menere [Atlassian]
Since last comment:	2 years, 7 weeks, 2 days ago
Resolution Date:	28/Jun/06 08:15 PM
Labels:

Description

« Hide

HTML is not escaped for the contents of failed macros and bad links.

For normal JIRA usage this means that the Wiki Rendered fields may produce unexpected results for html special characters (<, & etc) in the event of a macro typo or malformed url.

If you enter in the description from ~~JRA-6372~~ (included below) it blows up the viewing of the issue.

It is treating the Velocity stuff as unknown macros.

I've exhausted all efforts thru the user forum. Maybe someone can help me?
I want to include values of custom fields in my email notifiactions. 
I was successful (at first) by using some code from another user:

#foreach ($cfv in ${issue.getRelated("ChildCustomFieldValue")})
#set ($cf = ${cfv.getRelatedOne("ParentCustomField")})
#if (${cfv.getString("stringvalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getString("stringvalue")}</td></tr>
#elseif (${cfv.getString("textvalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getString("textvalue")}</td></tr>
#elseif (${cfv.getString("numbervalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getLong("numbervalue")}</td></tr>
#end
#end

Well, that seemed to work, but then I found that NOT ALL custom fields were
handled by the above code. Specifically, drop down values. However, it didn't
bother me so much that for some custom fields the values displayed as
internal codes. The problem was one project that had a custom field of type
'project picker'. email notifications for that project caused the template to break
with an error:
Invocation of method 'getLong' in class org.ofbiz.core.entity.GenericValue
   threw exception class java.lang.ClassCastException : java.lang.Double
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:246)
at ... etc. ...
I tried putting in #else code to handle some cases, I tried putting in code I
found from Anton in the user forum:


#elseif ($cf.getLong("fieldtype").intValue() == 1 ||
$cf.getLong("fieldtype").intValue() == 3 ||
$cf.getLong("fieldtype").intValue() == 5)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getString("stringvalue")}
#elseif ($cf.getLong("fieldtype").intValue() == 2)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getLong("numbervalue")}
#elseif ($cf.getLong("fieldtype").intValue() == 4)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getDate("datevalue")}

all to no avail. I really would like to get this working - or at least not broken.
I've looked at the Velocity user's manual and scoured the source code, but
I can't find how to do this. 

As a side note (I can log an issue if you like), I noticed that when viewing
an issue that has been moved between projects, the "Change History" also
shows the internal project ID rather than the project name, so even within
the web interface, it looks like internal ID's still show up sometimes.

Description

HTML is not escaped for the contents of failed macros and bad links. For normal JIRA usage this means that the Wiki Rendered fields may produce unexpected results for html special characters (<, & etc) in the event of a macro typo or malformed url. If you enter in the description from ~~JRA-6372~~ (included below) it blows up the viewing of the issue. It is treating the Velocity stuff as unknown macros.

I've exhausted all efforts thru the user forum. Maybe someone can help me?
I want to include values of custom fields in my email notifiactions. 
I was successful (at first) by using some code from another user:

#foreach ($cfv in ${issue.getRelated("ChildCustomFieldValue")})
#set ($cf = ${cfv.getRelatedOne("ParentCustomField")})
#if (${cfv.getString("stringvalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getString("stringvalue")}</td></tr>
#elseif (${cfv.getString("textvalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getString("textvalue")}</td></tr>
#elseif (${cfv.getString("numbervalue")})
	<tr><td width=20%><b>${cf.getString("name")}:</b></td><td
width=80%>${cfv.getLong("numbervalue")}</td></tr>
#end
#end

Well, that seemed to work, but then I found that NOT ALL custom fields were
handled by the above code. Specifically, drop down values. However, it didn't
bother me so much that for some custom fields the values displayed as
internal codes. The problem was one project that had a custom field of type
'project picker'. email notifications for that project caused the template to break
with an error:
Invocation of method 'getLong' in class org.ofbiz.core.entity.GenericValue
   threw exception class java.lang.ClassCastException : java.lang.Double
at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:246)
at ... etc. ...
I tried putting in #else code to handle some cases, I tried putting in code I
found from Anton in the user forum:


#elseif ($cf.getLong("fieldtype").intValue() == 1 ||
$cf.getLong("fieldtype").intValue() == 3 ||
$cf.getLong("fieldtype").intValue() == 5)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getString("stringvalue")}
#elseif ($cf.getLong("fieldtype").intValue() == 2)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getLong("numbervalue")}
#elseif ($cf.getLong("fieldtype").intValue() == 4)
	<tr><td width=20%><b>${cf.getString("name")} : </b></td><td
width=80%>${cfv.getDate("datevalue")}

all to no avail. I really would like to get this working - or at least not broken.
I've looked at the Velocity user's manual and scoured the source code, but
I can't find how to do this. 

As a side note (I can log an issue if you like), I noticed that when viewing
an issue that has been moved between projects, the "Change History" also
shows the internal project ID rather than the project name, so even within
the web interface, it looks like internal ID's still show up sometimes.

Show »

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Anton Mazkovoi [Atlassian] added a comment - 23/Jan/06 12:40 AM

As far as I can tell, there will always be problems with pasting complex text that is not surrounded with noformat. The problem is that the contents of the macro is printed out as
is, and is not HTML encoded. We need to HTML encode the raw contents of a macro.

[ Permlink | « Hide ]

Keith Brophy added a comment - 28/Jun/06 08:15 PM

This issue arises due to the fact that HTML escaping is suppressed when rendering the contents/body of a macro tag.

The renderer has been modified to not suppress HTML escaping now.

[ Permlink | « Hide ]

=Neal Applebaum added a comment - 10/Jul/06 08:44 AM

What's odd is that in TST-6152 it didn't escape one of the blocks but did the other.