Bug #30003
closed
Page Module: Texts of Content Elements are escaped twice
Added by Steffen Gebert about 13 years ago.
Updated over 11 years ago.
Category:
Backend User Interface
Description
In the Page module, the teaser text of every Content Element gets escaped twice, thus displaying HTML special characters like & as & amp;.
- Status changed from New to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to New
- % Done changed from 100 to 0
Only committed in a sandbox, not in Core yet.
- Subject changed from Texts of Content Element are escaped twice to Page Module: Texts of Content Elements are escaped twice
- Status changed from New to Accepted
- Assignee set to Steffen Gebert
Steffen, are you going to put this to the Core branches as well?
i am not sure if this is a good idea concerning to security.
Yes, I plan to do so. I just want to have a closer look again. I can't imagine that it can cause XSS, I just think that nobody ever cared (problem already existed with 4.1).
If you want to have a look / push it, feel free to do so!
Georg, there are two htmlspecialchars() in a row. That's why I'm pretty sure that nothing can disable one of them in between (however I want to check again to make sure).
- Status changed from Accepted to Closed
Duplicate of #16612.
Resolved at least in 6.1. Neither encoded quotes or nbsp signs, nor HTML tags are incorrectly displayed in the page module now.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by