-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: 3.12.0
-
Fix Version/s: None
-
Component/s: Automation
-
Tags:
The description of the operations in the Automation Chain Editor is being escaped, causing HTML code to be displayed.
This issue could be solved by using .fromTrustedString() instead of .fromString() in this line.
However, for that we would have to trust that the operation descriptions are always safe. Our own operations are safe, as they are exposed through our own registries. But like Mincong said in Slack:
Operations can be declared through the registries, so we cannot relax the escaping here. I have an idea, though: what we can do is the escape at the moment the description is set (method Operation#setDescription(String)), but that means we will probably need to turn the class Operation into interface, and allow two implementations: BuiltinOperation (trusted) and CustomOperation (untrusted).