Skip Navigation LinksHome Page > Forums > SpiraTeam Forums > SpiraTeam Issues & Qu... > funny html injection...
Try to enter the following string using the HTML Editor for requirements an save it the
page will hang on !! and be no more usable.
"-<Object -" (Hex: 26 6C 74 3B 4F 62 6A 65 63 74 20) the last invisible character (code 20!) is necessary to reproduce the error!
How we got this: We copied the following text from a word document into the requirement description changed the color of the text description "description" and set the font type to bold using the embedded HTML editor and got an amazing result after saving:
generated html code:
<P><SPAN style="FONT-FAMILY: Arial"><FONT size=3>The (short)name and the description of plants and function groups have to be exported to moduWeb. See also RQ:000578 in CASE Vision.</FONT></SPAN></P><P><SPAN style="FONT-FAMILY: Arial"><FONT size=3>The analysis has shown, that the XML export to moduWeb in CB 2.5 already included<BR>- name and description for plants (Example: <SPAN style="COLOR: #3333ff"><</SPAN><SPAN style="COLOR: #660000">Plant </SPAN><SPAN style="COLOR: red">Name</SPAN><SPAN style="COLOR: #3333ff">="LU04" </SPAN><SPAN style="COLOR: red">Description</SPAN><SPAN style="COLOR: #3333ff">="L++ftung 1" </SPAN><SPAN style="COLOR: red">PNGFile</SPAN><SPAN style="COLOR: #3333ff">="LU04.PNG"></SPAN>)<BR>- name for function groups (Example: <SPAN style="COLOR: #3333ff"><</SPAN><SPAN style="COLOR: #660000">FunctionGroup </SPAN><SPAN style="COLOR: red">Name</SPAN><SPAN style="COLOR: #3333ff">="FG01"></SPAN>)</FONT></SPAN></P><P><SPAN style="FONT-FAMILY: Arial"><FONT size=3>So the only newly required field is the description for function groups.<BR>This field will be added in the XML file as shown in the following example:</FONT></SPAN></P><P><FONT size=3><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff"><</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #660000">Plant </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: red">Name</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">="LU04" </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: red">Description</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">="L++ftung 1" </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: red">PNGFile</SPAN></FONT><FONT size=3><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">="LU04.PNG"><BR> <</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #660000">FunctionGroup </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: red">Name</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">="FG01" </SPAN><STRONG><SPAN style="FONT-FAMILY: Arial; COLOR: red"><FONT color=#ff0000>Description</FONT></SPAN></STRONG><STRONG><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff"><FONT color=#6600cc><FONT color=#3333ff>="</FONT></FONT><FONT color=#3333ff>Description</FONT>"</SPAN></STRONG></FONT><FONT size=3><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">><BR> <</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #660000">Object </SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: red">Name</SPAN><SPAN style="FONT-FAMILY: Arial; COLOR: #3333ff">="Ausgang Radiatorventil"...</SPAN><SPAN style="FONT-FAMILY: Arial"></SPAN></FONT></P><P><STRONG><SPAN style="FONT-FAMILY: Arial"><FONT size=3>Remarks:</FONT></SPAN></STRONG><B><SPAN style="FONT-FAMILY: Arial"><BR></SPAN></B><SPAN style="FONT-FAMILY: Arial"><FONT size=3>- For plants the (short)name is taken from the field "Plant" in table Prj_PE_Main<BR>- For function groups the (short)name is taken from the field "FnctGroup" in table Prj_PE_Main<BR>- The descriptions are taken from the field "Description" in table Prj_PE_Main for both cases<BR>- In table Prj_PE_Main, a field with name "ShortName" exists, but is not used here. Is is a user-editable additional shorter description, which is in practice almost alway empty</FONT></SPAN></P>
the problematic string sequence is highlighted...
In such situations we recommend clicking on the < > icon before pasting so that you actually only paste in the plain text.
We're also planning on adding additional paste options to the HTML editor so that you can paste as plain text. The control does currently attempt to strip out unnecessary formatting to prevent such issues, but sometimes plain text is the only way I'm afraid.
In v4.1 when using IE you can right-click on the text editor and choose Paste Plain Text.
And if you have any questions, please email or call us at +1 (202) 558-6885
