Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Answered
Component/s: None
Labels:

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Description

NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.

All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
For example convert

$action.getText("title.remove.page", [$action.getPage().getTitle()])

$action.getText("title.remove.page", ["$action.getPage().getTitle()"])

The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.

Attachments

Issue Links

is related to

CONFCLOUD-13000 addActionError and addFieldError are inconsistent

Closed

CONFSERVER-15548 The i18n in velocity templates does not auto html encode parameters

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Chris Kiehl

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 07/May/2009 2:13 AM

Updated:: 19/Sep/2019 5:51 AM

Resolved:: 16/Jun/2014 6:23 AM