Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-11437

Verify that XSS protection fix hasn't disabled HTML support in tooltip help

    Details

    • Type: Task Task
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 2.4
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Similar issues:
      KULRICE-10352Document HTML escaping support in Security Guide
      KULRICE-1851vulnerable to XSS
      KULRICE-8741Rich message support for tooltip text
      KULRICE-2920Fix XSS vulnerability in question framework.d
      KULRICE-13441AFT Gap KRAD Library Widgets Tooltip HTML
      KULRICE-13259Widgets tooltip help not displayed correctly
      KULRICE-1225Verify CXF is a valid library to use
    • Rice Module:
      KRAD
    • Application Requirement:
      Rice
    • Sprint:
      2.4.0-m4 KRAD Sprint 1
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes

      Description

      Field help should support HTML content such as

      <bean parent="Uif-TextControl">
           <property name="help">
               <bean parent="Uif-Help" p:tooltipHelpContent="This is my &lt;u&gt;help&lt;/u&gt; text"/>
           </property>
      </bean>
      

      as found on the "Text Controls" section title of Uif Components -> Input Fields and Controls -> Input Fields does not work.

      The sample on the "Checkbox" label of the KRAD Libary -> Widgets -> Help does work.

      Verify that the XSS protection from KULRICE-10171 hasn't affected the HTML support and analyze solutions if needed.

        Activity

        Hide
        Erik Meade added a comment -

        WidgetsHelpCheckboxTooltipHtmlFormatted.png appears to have been fixed somewhere along the way.

        Show
        Erik Meade added a comment - WidgetsHelpCheckboxTooltipHtmlFormatted.png appears to have been fixed somewhere along the way.
        Hide
        Erik Meade added a comment -

        WidgetsHelpCheckboxTooltipHtmlFormatted.png I disabled Spring defaultHtmlEscape, but the text tooltip still does not format HTML.

        Show
        Erik Meade added a comment - WidgetsHelpCheckboxTooltipHtmlFormatted.png I disabled Spring defaultHtmlEscape, but the text tooltip still does not format HTML.
        Hide
        Erik Meade added a comment -

        HTML support in the Check box tooltip now works. HTML Support in the Text Field tooltip doesn't work when XSS protection is disabled, the issue appears to be someplace else.

        Show
        Erik Meade added a comment - HTML support in the Check box tooltip now works. HTML Support in the Text Field tooltip doesn't work when XSS protection is disabled, the issue appears to be someplace else.

          People

          • Assignee:
            Erik Meade
            Reporter:
            Claus Niesen
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 4 hours
              4h
              Remaining:
              Time Spent - 1 hour, 30 minutes Remaining Estimate - 2 hours, 30 minutes
              2h 30m
              Logged:
              Time Spent - 1 hour, 30 minutes Remaining Estimate - 2 hours, 30 minutes
              1h 30m

                Agile

                  Structure Helper Panel