Velocity does not automatically escape HTML entities when substituting variables

2007-10-03T02:58:36
ID ATLASSIAN:CONFSERVER-9627
Type atlassian
Reporter matt@atlassian.com
Modified 2017-02-17T05:14:14

Description

Velocity should automatically escape (encode) HTML entities in variables it interpolates in markup. This would remove the need for explicitly escaping variables using $generalUtil.htmlEncode, and fix lots of XSS bugs including ones we haven't discovered yet.

This affects all versions of Confluence.