' --> ' changes to ' --> ' inside a text field
search cancel

' --> ' changes to ' --> ' inside a text field

book

Article ID: 14797

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

Writing "-->" in a string field, corrupts the content with escaped HTML characters. If you enter in the text: ‘-->’, for example in the Description field of a project, and click on the Save button, it changes to ‘-->'. What is causing the HTML special character to be converted to its corresponding HTML code? This issue is reproduced in many fields in many objects (including Risks, Ideas, Projects)

Steps to Reproduce:

  1. Go to the Description field in the project and type in the below: -->
  2. Click on the ‘Save’ button

Expected Result: To see this ‘-->’

Actual Result: See this ‘-->'

Sample screenshots below.

Before: 

 

After: 

 

Environment

Release: All Supported

Cause

This is working as expected. 

Resolution

‘-->’ matches one of the XSS Patterns which can cause a cross site scripting issue and allow this to cause security issues. ‘-->’ is a string in 'cmn_option_values’ table for option code ‘CMN.XSS.PATTERNS’ and thus it is being encoded to ‘-->' (the HTML Code)

Running the below query will list out all the XSS patterns and Clarity does a pattern match and converts the HTML character to HTML code.

Select * from CMN_OPTION_VALUES where OPTION_ID = (select ID from CMN_OPTIONS where OPTION_CODE = 'CMN.XSS.PATTERNS')

Workaround:

For the Modern User Experience (MUX/UX), where the capability to export to PDF is present, use one of the escape texts below, to obtain an arrow in the PDF:

  • →
  • →

Sample screenshot below: 

 

However, in the text box within the Product, arrows will not be noticeable.

 

Additional Information

Powered by Wolken Software