Bug 1415235
| Summary: | Catalog Item Long Descriptions allow the user to override UI styling | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Krain Arnold <krain> | ||||||||||
| Component: | UI - OPS | Assignee: | Martin Hradil <mhradil> | ||||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Satyajit Bulage <sbulage> | ||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | high | ||||||||||||
| Version: | 5.7.0 | CC: | dajohnso, dclarizi, hkataria, jhardy, mpovolny, obarenbo, sbulage, simaishi | ||||||||||
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | ||||||||||
| Target Release: | 5.8.0 | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Whiteboard: | service:catalog | ||||||||||||
| Fixed In Version: | 5.8.0.1 | Doc Type: | If docs needed, set a value | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | |||||||||||||
| : | 1419694 (view as bug list) | Environment: | |||||||||||
| Last Closed: | 2017-06-12 16:21:35 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | Bug | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | CFME Core | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | |||||||||||||
| Bug Blocks: | 1419694 | ||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 1242919 [details]
example 2
Created attachment 1242920 [details]
example 3
Created attachment 1242921 [details]
example 4
Work around exists we believe, use </br> tags, thus reducing severity New commit detected on ManageIQ/manageiq-ui-classic/master: https://github.com/ManageIQ/manageiq-ui-classic/commit/cd9e943e55582ab788892621c6f5497b56c27aa6 commit cd9e943e55582ab788892621c6f5497b56c27aa6 Author: Martin Hradil <mhradil> AuthorDate: Mon Jan 30 15:25:03 2017 +0000 Commit: Martin Hradil <mhradil> CommitDate: Wed Feb 1 03:53:38 2017 +0000 ServiceTemplate.long_description - always display html-sanitized prevents `<script>` and `<style>` elements in the description from breaking the UI in random ways https://bugzilla.redhat.com/show_bug.cgi?id=1415235 app/views/catalog/_sandt_tree_show.html.haml | 6 ++++-- app/views/catalog/_svccat_tree_show.html.haml | 10 +++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) Verified that like the SSUI, the admin UI able to sanitize the HTML code which is not impacting core elements by the Long Description. Verified Version: 5.8.0.10-beta1.20170411212748_e47d319 |
Created attachment 1242918 [details] example 1 Description of problem: The Catalog Item Long Description field in the admin UI accepts raw HTML, but unlike the Self-Service UI, the HTML is not sanitized. This allows the user to use <style> tags that are honored in the rest of the UI. Version-Release number of selected component (if applicable): 5.7.0.17.20161219135818_725f92f How reproducible: 100% Steps to Reproduce: 1. Add a Long Description with a style tag that applies to an existing element. Something like: span {text-shadow: -5px 0 HotPink, 0 5px HotPink, 5px 0 HotPink, 0 -1px HotPink;} does the trick nicely. 2. Save the catalog item and look at the UI Actual results: Results range from concerning to mildly entertaining, depending on your perspective. Screenshots attached. Expected results: Like the SSUI, the admin UI should sanitize the HTML code to ensure that core elements are not impacted by the Long Description. Additional info: Screenshots attached.