Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13625

Inserted image filenames are not escaped properly as thumbnails

      When you insert an image as a thumbnail into a wiki page, the generated HTML does not properly escape the filename.

        1. 2.9.2.zip
          190 kB
        2. 2.8.2.zip
          190 kB

            [CONFSERVER-13625] Inserted image filenames are not escaped properly as thumbnails

            tested latest 2.9.2 patch
            spaces in filenames are no longer replaced with "+"s, however, other non-alphanumeric characters are not being escaped
            e.g. the markup saved by the RTE (without roundtripping) for the following filenames;

            • !apos!trophe!.jpg
            • <script>.jpg
              is
              !!apos!trophe!.jpg|thumbnail!
              !<script>.jpg|thumbnail!
              

            This generates the following errors

            Unable to render embedded object: File (<script>.jpg) not found.

            Andrew Prentice (Inactive) added a comment - tested latest 2.9.2 patch spaces in filenames are no longer replaced with "+"s, however, other non-alphanumeric characters are not being escaped e.g. the markup saved by the RTE (without roundtripping) for the following filenames; !apos!trophe!.jpg <script>.jpg is !!apos!trophe!.jpg|thumbnail! !<script>.jpg|thumbnail! This generates the following errors Unable to render embedded object: File (<script>.jpg) not found.

            latest 2.9.2 patch replaces expected Insert Image pop-up content with Insert Link pop-up content

            Andrew Prentice (Inactive) added a comment - latest 2.9.2 patch replaces expected Insert Image pop-up content with Insert Link pop-up content

            Patch fixes:

            1. This has been fixed in the latest 2.9.2 patch
            2. Is not caused by this patch but is a separate round trip issue.

            m@ (Inactive) added a comment - Patch fixes: This has been fixed in the latest 2.9.2 patch Is not caused by this patch but is a separate round trip issue.

            1. Spaces in image filenames are replaced with "+" when image thumbnail is clicked in the Insert Image Pop-up, causing the thumbnail/image to not be displayed. Occurs in 2.9.2 & 2.8.2
            2. Apostrophes in image filenames causes the ! in the link markup to be escaped, resulting in the link rendered as text rather than a thumbnail image as expected.

            Andrew Prentice (Inactive) added a comment - Spaces in image filenames are replaced with "+" when image thumbnail is clicked in the Insert Image Pop-up, causing the thumbnail/image to not be displayed. Occurs in 2.9.2 & 2.8.2 Apostrophes in image filenames causes the ! in the link markup to be escaped, resulting in the link rendered as text rather than a thumbnail image as expected.

            verified fixed in 2.10-rc1

            Andrew Prentice (Inactive) added a comment - verified fixed in 2.10-rc1

            • There were a few places where the filename wasn't being properly escaped.
            • Refactored the ImageInfo method to generate the popup HTML to use a proper js include
            • updated renderer to get fix for RNDR-47

            m@ (Inactive) added a comment - There were a few places where the filename wasn't being properly escaped. Refactored the ImageInfo method to generate the popup HTML to use a proper js include updated renderer to get fix for RNDR-47

            This is actually a security threat if the filename contains malicious javascript.

            m@ (Inactive) added a comment - This is actually a security threat if the filename contains malicious javascript.

            m@ (Inactive) added a comment - - edited

            I had planned on doing this for 2.10, thought it was too hard and took it out. At this stage its back in.

            m@ (Inactive) added a comment - - edited I had planned on doing this for 2.10, thought it was too hard and took it out. At this stage its back in.

            Can you fix this along with your other work in this area?

            Andrew Lynch (Inactive) added a comment - Can you fix this along with your other work in this area?

            Related to CONF-13338 but a bit worse. Double quotes break a few more things than single quotes.

            m@ (Inactive) added a comment - Related to CONF-13338 but a bit worse. Double quotes break a few more things than single quotes.

              mjensen m@ (Inactive)
              mjensen m@ (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: