Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15621

Username with ampersand breaks the profile macro, follow macro and personal space sidebar

XMLWordPrintable

      See https://qa-cac.atlassian.com/browsepeople.action

      There is a pink error being given:

      profile: No user ©chris

        1. CONF-15621.patch
          17 kB

          Form Name

            [CONFSERVER-15621] Username with ampersand breaks the profile macro, follow macro and personal space sidebar

            Brian Nguyen (Inactive) added a comment -

            Ok I've fixed this for:

            • Profile
            • Personal sidebar
            • People Directory
            • User Hover
            • Follow
            • User Logos

            What I haven't fixed:

            • Viewing personal spaces and profiles when there are slashes in the username (its the /display/ url that is foobar)

            Brian Nguyen (Inactive) added a comment - Ok I've fixed this for: Profile Personal sidebar People Directory User Hover Follow User Logos What I haven't fixed: Viewing personal spaces and profiles when there are slashes in the username (its the /display/ url that is foobar)

            Matt Ryall added a comment -

            I spoke to Brian about this. We want to avoid using marking usernames as HtmlSafe because they actually aren't.

            The proper solution is to do all the following:

            • avoid automatically HTML encoding the username in macro parameters – solvable with a new GlobalHelper.renderConfluenceMacro that takes a String.format()-style string1
            • avoid automatically HTML encoding the username in the user hover ID – solvable by adding a new Velocity macro to menu-macros.vm which uses a variable with an 'Html' suffix
            • ensure usernames in URLs are URL-encoded, in addition to automatic HTML encoding – solvable with GeneralUtil.urlEncode().

            I don't think this solution is particularly risky, but on the other hand, the bug is quite low priority. I'm certain there are many other problems in Confluence using usernames with ampersands, not just in the new functionality.

            1 It's preferable to use String.format() instead of MessageFormat because macros use curly braces and escaping them for MessageFormat would be a hassle.

            Matt Ryall added a comment - I spoke to Brian about this. We want to avoid using marking usernames as HtmlSafe because they actually aren't. The proper solution is to do all the following: avoid automatically HTML encoding the username in macro parameters – solvable with a new GlobalHelper.renderConfluenceMacro that takes a String.format()-style string 1 avoid automatically HTML encoding the username in the user hover ID – solvable by adding a new Velocity macro to menu-macros.vm which uses a variable with an 'Html' suffix ensure usernames in URLs are URL-encoded, in addition to automatic HTML encoding – solvable with GeneralUtil.urlEncode(). I don't think this solution is particularly risky, but on the other hand, the bug is quite low priority. I'm certain there are many other problems in Confluence using usernames with ampersands, not just in the new functionality. 1 It's preferable to use String.format() instead of MessageFormat because macros use curly braces and escaping them for MessageFormat would be a hassle.

            AudraA added a comment -

            fine for defer to 3.0.1

            AudraA added a comment - fine for defer to 3.0.1

            Brian Nguyen (Inactive) added a comment -

            Proposed changeset

            https://svn.atlassian.com/atlaseye/cru/CR-CONF-265

            Brian Nguyen (Inactive) added a comment - Proposed changeset https://svn.atlassian.com/atlaseye/cru/CR-CONF-265

            Paul Curren added a comment -

            As Brian says the fixes in his attached patch introduce a possible XSS vector. So we need a better fix and it has wide impact across the application.

            Basically, it feels too risky to fix this at this stage in 3.0 development. Moving to 3.0.1.

            Paul Curren added a comment - As Brian says the fixes in his attached patch introduce a possible XSS vector. So we need a better fix and it has wide impact across the application. Basically, it feels too risky to fix this at this stage in 3.0 development. Moving to 3.0.1.

            Brian Nguyen (Inactive) added a comment -

            I've fixed (not committed)

            • People Directory
            • Follow
            • Hover
            • Profile tabs

            Brian Nguyen (Inactive) added a comment - I've fixed (not committed) People Directory Follow Hover Profile tabs

            Brian Nguyen (Inactive) added a comment -

            To fix this, I've had to prevent xss encoding on usernames. This SHOULDN'T be a problem since we don't print the username out anywhere, and the macros that are breaking don't either. But it should still be considered a risk.

            I'd prefer to ignore the problem since 2.10 had numerous problems with users with ampersands and it would take us an infinitely long time to find them all. But then again the error in CAC is highly visible...

            Brian Nguyen (Inactive) added a comment - To fix this, I've had to prevent xss encoding on usernames. This SHOULDN'T be a problem since we don't print the username out anywhere, and the macros that are breaking don't either. But it should still be considered a risk. I'd prefer to ignore the problem since 2.10 had numerous problems with users with ampersands and it would take us an infinitely long time to find them all. But then again the error in CAC is highly visible...

            Brian Nguyen (Inactive) added a comment - - edited

            Ok the problem is that ampersands, commas and other special characters screw everything up. This existed in 2,10 as well but I'll fix as many up as I can find.

            List at the moment

            3.0 Specific

            • User Hover
            • User Profile Pics
            • People Directory
            • User Follow
            • Activity
            • Personal Space Sidebar

            Exists in 2.10

            • Administer user link in user profile
            • View User link in user managment
            • /display/ links (seems to work intermittently)

            Brian Nguyen (Inactive) added a comment - - edited Ok the problem is that ampersands, commas and other special characters screw everything up. This existed in 2,10 as well but I'll fix as many up as I can find. List at the moment 3.0 Specific User Hover User Profile Pics People Directory User Follow Activity Personal Space Sidebar Exists in 2.10 Administer user link in user profile View User link in user managment /display/ links (seems to work intermittently)

              bnguyen Brian Nguyen (Inactive)
              mhrynczak Mark Hrynczak (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: