Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-12391

Display fields don’t decode html encoded characters (i.e. ')

    Details

    • Type: Bug Fix
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.1
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Rice Team:
      Framework
    • Rice Module:
      KRAD
    • Sprint:
      Framework 2.5.1 Sprint 3
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      3

      Description

      Display fields don’t decode html encoded characters (i.e. ')

      Enter some text that needs to be encoded like " don't ", save the document and then display it via an inquiry. Notice that the apostrophe isn't decoded.

        Attachments

          Issue Links

            Activity

            Hide
            kbtaylor Kristina Taylor (Inactive) added a comment -

            Actually it's more like KRAD encodes them. DataFieldBase.escapeHtmlInPropertyValue is always set to true. Since Travel Account's inquiry is auto generated, there's no really good way of fixing this specifically, but I do question why we automatically set this to true. I'd like Jerry to weigh in.

            Show
            kbtaylor Kristina Taylor (Inactive) added a comment - Actually it's more like KRAD encodes them. DataFieldBase.escapeHtmlInPropertyValue is always set to true. Since Travel Account's inquiry is auto generated, there's no really good way of fixing this specifically, but I do question why we automatically set this to true. I'd like Jerry to weigh in.
            Hide
            lsymms Larry Symms added a comment -

            We resolved this by disabling defaultHtmlEscape in web.xml which exposes us to XSS (that's bad). We have the same problem in lookups. Seems like if the default is to escape html entered values for input components, the default should be to unescape all values (this could/will decrease performance).

            Show
            lsymms Larry Symms added a comment - We resolved this by disabling defaultHtmlEscape in web.xml which exposes us to XSS (that's bad). We have the same problem in lookups. Seems like if the default is to escape html entered values for input components, the default should be to unescape all values (this could/will decrease performance).
            Hide
            cniesen Claus Niesen added a comment - - edited

            The html encoding happens twice:

            • once globally by spring (web.xml)
                <context-param>
                  <param-name>defaultHtmlEscape</param-name>
                  <param-value>true</param-value>
                </context-param>
              
            • and a second time locally via freemarker (dataInputField.ftl)
                <#-- check escape flag -->
                <#if field.escapeHtmlInPropertyValue>
                  ${(spring.status.value?default(""))?html}
                <#else>
                  ${(spring.status.value?default(""))}
                </#if>
              

            Now the question is, do we still need to support the escapeHtmlInPropertyValue option.

            Show
            cniesen Claus Niesen added a comment - - edited The html encoding happens twice: once globally by spring (web.xml) <context-param> <param-name>defaultHtmlEscape</param-name> <param-value> true </param-value> </context-param> and a second time locally via freemarker (dataInputField.ftl) <#-- check escape flag --> <# if field.escapeHtmlInPropertyValue> ${(spring.status.value? default (""))?html} <# else > ${(spring.status.value? default (""))} </# if > Now the question is, do we still need to support the escapeHtmlInPropertyValue option.
            Hide
            cniesen Claus Niesen added a comment -

            Jeff R. pointed out the original code in dataInputField.ftl that used to work. With bindEscaped the escapeHtmlInPropertyValue will orverride the global spring settings.

            Show
            cniesen Claus Niesen added a comment - Jeff R. pointed out the original code in dataInputField.ftl that used to work. With bindEscaped the escapeHtmlInPropertyValue will orverride the global spring settings.
            Hide
            mztaylor Martin Taylor (Inactive) added a comment -

            Closing 2.5.1 Development

            Show
            mztaylor Martin Taylor (Inactive) added a comment - Closing 2.5.1 Development

              People

              • Assignee:
                cniesen Claus Niesen
                Reporter:
                cniesen Claus Niesen
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: