Details
Assignee
UnassignedUnassignedReporter
Zac SpitzerZac SpitzerNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Priority
New
Details
Details
Assignee
Unassigned
UnassignedReporter
Zac Spitzer
Zac Spitzer
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Priority
NewCreated 30 August 2021 at 12:58
Updated 30 August 2021 at 12:58
HtmlEditFormat and HtmlCodeFormat use an older approach to html encode which doesn't handle escaping as well as the ESAPI library, leading to vulnerabilities.
https://docs.lucee.org/reference/functions/htmlcodeformat.html
https://docs.lucee.org/reference/functions/htmleditformat.html
Let's change the default version to be ESAPI