Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15548

The i18n in velocity templates does not auto html encode parameters

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

      The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
      For example convert

      $action.getText("title.remove.page", [$action.getPage().getTitle()])

      to

      $action.getText("title.remove.page", ["$action.getPage().getTitle()"])

      The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.

              Unassigned Unassigned
              ckiehl Chris Kiehl
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: