Like some other threads already state, growl does not escape its messages. Thus \n newlines and such cause it to fail.
It also fails with any HTML-like input (danger of XSS as well, just test in showcase ).
I don't know whether this is "intended" behaviour? At least an escape attribute (like in h:outputText etc.) would be nice.
There is already Issue 2711 in the bugtracker. How and when will this be solved?
Growl not escaping messages
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
I'll fix it after lunch
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
Done!
Wow, that was fast
I've only looked at your code changes in r6012 and they look as if HTML-like content in message title/summary (e.g. "<b>bold</b>") will still slip through (i.e. not getting escaped).
Couldn't this cause problems if a growl message accidentally (by chance, breaking page validation) or intentionally (due to some XSS attack) contains HTML-like fragments?
I've only looked at your code changes in r6012 and they look as if HTML-like content in message title/summary (e.g. "<b>bold</b>") will still slip through (i.e. not getting escaped).
Couldn't this cause problems if a growl message accidentally (by chance, breaking page validation) or intentionally (due to some XSS attack) contains HTML-like fragments?
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
I see, I thought you mentioned escaping special characters like double quotes as growl uses json like syntax. I've also added html character escaping as well now.
-
- Information
-
Who is online
Users browsing this forum: No registered users and 21 guests