FLUID-4050: Renderer does not escape UIBound values correctly (esp character " - double quote)

Metadata

Source
FLUID-4050
Type
Bug
Priority
Major
Status
Closed
Resolution
Fixed
Assignee
Michelle D'Souza
Reporter
Antranig Basman
Created
2011-02-02T18:44:37.051-0500
Updated
2011-02-04T12:27:31.479-0500
Versions
  1. 1.3
Fixed Versions
  1. 1.3.1
Component
  1. Renderer

Description

UIBound values output by the renderer are not XMLEncoded properly. In most cases the browser can "auto-repair" the attribute value but for the case of double quote " it can only assume that the attribute value has terminated. This is a serious data integrity risk.

Comments

  • Antranig Basman commented 2011-02-04T04:07:39.567-0500

    Fixed at git revision 97baeb6 - fix handles cases of input type = text, radio, free attribute decorator and link targets - this should be exhaustive but it is possible that a case has been missed.

  • Michelle D'Souza commented 2011-02-04T12:27:31.468-0500

    Tested in collectionspace - double quotes are now encoded correctly.