Bug 1125181

Summary: HTML tags should be escaped when we update any parameter value under settings tab
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: SettingsAssignee: Ohad Levy <ohadlevy>
Status: CLOSED ERRATA QA Contact: Corey Welton <cwelton>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: bbuckingham, cwelton, dcleal, gsteiger
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6858
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 08:43:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
HTML tags properly escaped when updating parameter under settings tab. none

Comment 1 Dominic Cleal 2014-07-31 09:27:10 UTC 
I don't think this has any security implications, but in future, please treat HTML escaping issues as having a potential security (XSS) impact and allow us to evaluate them first.

Ideal procedure is to mark the bug as private for the security team and for Foreman issues, e-mail foreman-security (http://theforeman.org/security.html).  We'll check it out and then handle appropriately.  Thanks.
Comment 2 Dominic Cleal 2014-07-31 09:28:14 UTC 
Created redmine issue http://projects.theforeman.org/issues/6858 from this bug
Comment 5 Bryan Kearney 2015-08-25 17:59:42 UTC 
Upstream bug component is Provisioning
Comment 6 Bryan Kearney 2015-09-02 17:23:06 UTC 
Upstream bug component is Settings
Comment 7 Bryan Kearney 2016-03-06 09:10:19 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/6858 has been closed
-------------
Amir Fefer
Applied in changeset commit:e108822a1a3ab567ea17d733754ccc9c9447dc8a.
Comment 10 Gail Steiger 2016-05-29 13:21:53 UTC 
Created attachment 1162621 [details]
HTML tags properly escaped when updating parameter under settings tab.
Comment 12 errata-xmlrpc 2016-07-27 08:43:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500