Hippo site shows html code

Experience Manager (PaaS/OnPrem)
1

Hi there,
This is my first post here, so tell me if I am posting at the wrong place.

We have updated or hippo environment to the latest version of Hippo 11.xxx and also had some other custom changes.
Let me try to explain the error.
We have a document.
This document has a rich field field.
In this rich field we are using a variable ${test.test}
This variable has some html code in it: < p >This is a test< / p >
And after this update we are seeing: < p >This is a test< / p > on the page instead of: This is a test

Can someone maybe help me with this?

2

You can use escapeMessageXml=false attribute:

<attribute>
  <description>
    Whether or not to escape a message value having &amp;,&gt;,&lt;,", and '. When escapeMessageXml = true, the
    replaced message text can be safely used as a tag attribute (e.g, href, src, etc.) value.
    By default escapeMessageXml is set to true.
  </description>
  <name>escapeMessageXml</name>
  <required>false</required>
  <rtexprvalue>false</rtexprvalue>
  <type>java.lang.Boolean</type>
</attribute>
3

Thanks you very much machak.
But why is this now needed?
It did work without this, in previous release :frowning:

4

Hi,
This was a changed behavior in 12.3 to mitigate an XSS vulnerability in the HST.
See https://www.onehippo.org/library/upgrade-minor-versions/upgrade-12.2.0-to-12.2.1-or-12.3.0.html.

Jeroen

5

Thanks jeroen, but I am not talking about release 12.3.
I just upgraded from 11.1.1 to 11.2.8 !
Did we also had same change between those versions?

6

Yes, because of its security-related nature this change was back ported, see
https://www.onehippo.org/11/library/upgrade-minor-versions/upgrade-11.2.6-to-11.2.7.html

HTH
Jeroen

7

thanks for the answers all.
Now I know why and how I can solve it.