Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15548

The i18n in velocity templates does not auto html encode parameters

    XMLWordPrintable

Details

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

      The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
      For example convert

      $action.getText("title.remove.page", [$action.getPage().getTitle()])

      to

      $action.getText("title.remove.page", ["$action.getPage().getTitle()"])

      The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-26342 There is a reflected xss flaw in the settings.action of dailysummary settings.action.

          • Highest - Our top priority issues
          • Closed
          incorporates

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-15756 Edit Attachment Storage page has escaped <em></em> tags

          • Low - Low priority issues
          • Closed
          is related to

          Suggestion - CONFSERVER-13000 addActionError and addFieldError are inconsistent

          • Closed
          relates to

          Suggestion - CONFCLOUD-15548 The i18n in velocity templates does not auto html encode parameters

          • Closed
          mentioned in

          Wiki Page Loading...

          Wiki Page Loading...

          Activity

            People

              Unassigned Unassigned
              ckiehl Chris Kiehl
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: