Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15548

The i18n in velocity templates does not auto html encode parameters

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

      The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
      For example convert

      $action.getText("title.remove.page", [$action.getPage().getTitle()])

      to

      $action.getText("title.remove.page", ["$action.getPage().getTitle()"])

      The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.

            [CONFSERVER-15548] The i18n in velocity templates does not auto html encode parameters

            Sen Geronimo made changes -
            Workflow Original: JAC Suggestion Workflow 4 [ 3573979 ] New: JAC Suggestion Workflow 3 [ 4335646 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow 2 [ 3184226 ] New: JAC Suggestion Workflow 4 [ 3573979 ]
            Status Original: RESOLVED [ 5 ] New: Closed [ 6 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3029506 ] New: JAC Suggestion Workflow 2 [ 3184226 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing v4 [ 2535763 ] New: JAC Suggestion Workflow [ 3029506 ]
            Rachel Lin (Inactive) made changes -
            Workflow Original: Confluence Workflow - Public Facing v3 [ 2298788 ] New: Confluence Workflow - Public Facing v4 [ 2535763 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing v3 - TEMP [ 2194859 ] New: Confluence Workflow - Public Facing v3 [ 2298788 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing v3 [ 1947171 ] New: Confluence Workflow - Public Facing v3 - TEMP [ 2194859 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing v2 [ 1762194 ] New: Confluence Workflow - Public Facing v3 [ 1947171 ]
            jonah (Inactive) made changes -
            Description Original: All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

            The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
            For example convert
            {code}
            $action.getText("title.remove.page", [$action.getPage().getTitle()])
            {code}
            to
            {code}
            $action.getText("title.remove.page", ["$action.getPage().getTitle()"])
            {code}

            The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.             		New: {panel:bgColor=#e7f4fa}
              *NOTE:* This suggestion is for *Confluence Server*. Using *Confluence Cloud*? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-15548].
              {panel}

            All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

            The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
            For example convert
            {code}
            $action.getText("title.remove.page", [$action.getPage().getTitle()])
            {code}
            to
            {code}
            $action.getText("title.remove.page", ["$action.getPage().getTitle()"])
            {code}

            The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.
            jonah (Inactive) made changes -
            Link New: This issue relates to CONFCLOUD-15548 [ CONFCLOUD-15548 ]

              Unassigned Unassigned
              ckiehl Chris Kiehl
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: