Opened 17 years ago
Closed 17 years ago
#428 closed defect (fixed)
HTML tags in annotation values are not escaped
| Reported by: | Nicklas Nordborg | Owned by: | Martin Svensson |
|---|---|---|---|
| Priority: | major | Milestone: | BASE 2.2 |
| Component: | web | Version: | 2.1 |
| Keywords: | Cc: |
Description
Keith Ching wrote:
it seems you can make a String annotation type and attach it to raw bioassay and fill it with
<a href="javascript:Main.downloadFile('34537569891fa9bf', 142)"> <img border=0 class="icon" title="Download the contents of this file" src="/base2/images/download.gif"></a>
which will produce a link to the specified raw file.
Wow, that's a bug, HTML tags should be escaped. Besides, it won't work anyway, since the first parameter to the downloadFile function is a session ID and is different for every time you login.
Change History (4)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
| Milestone: | BASE 2.1.1 → BASE 2.2 |
|---|
Moved to milestone 2.2 since it interfers with changes that has been made in 2.2.
comment:3 by , 17 years ago
| Status: | new → assigned |
|---|
comment:4 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
I seems that both the view page and list pages is affected by this. The view page is shared among all items (/www/common/annotations/list_annotations.jsp), but the list pages are not. The "Inherit annotations" page is also affected. Maybe there are even more places that are affected. For example: