U4-7605 - Colons/Parens Unnecessarily Removed From Data Type Names

Created by Nicholas Westby 22 Dec 2015, 21:53:48 Updated by Sebastiaan Janssen 05 Jan 2016, 18:52:40

Relates to: U4-7477

I create most of my data types with colons and parentheses in the names. For example, if I have a client called "What Ever", I will create a data type based on the textbox property editor called "WE: Text (Short)". When I save, that name gets converted to "WE Text Short".

I don't see why this type of validation/transformation is taking place now when it did not used to occur. Also, if this were an alias or something of that sort, this might make sense. However, since it is a name, it makes little sense.


Nicholas Westby 22 Dec 2015, 21:57:17

Just tried the 7.4 beta. Looks like it allows parentheses, but it removes colons. That too does not make sense.

Shannon Deminick 05 Jan 2016, 10:40:45

See the related issue, this is due to XSS vulnerabilities in webforms editors. In 7.4 this is less vulnerable because of the lack of webforms usage in the content type editor, but other 3rd party webforms editors when rendering the name and not encoding it (since webforms doesn't do this by default) are vulnerable to XSS when malicious umbraco users could enter an XSS style name of an element. I'll allow colons, but we will still strip some of these chars because there are support clients that require these names to not be XSS vulnerable.

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions: 7.4.0, 7.3.4

Due in version: 7.3.5

Sprint: Sprint 6

Story Points: