Bug 1520669

Summary: Text Injection possible
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: UI - OPSAssignee: Martin Povolny <mpovolny>
Status: CLOSED WONTFIX QA Contact: Vatsal Parekh <vparekh>
Severity: urgent Docs Contact:
Priority: low    
Version: 5.8.0CC: dajohnso, hkataria, jhardy, jkrocil, khala, mfalesni, mpovolny, obarenbo, rbabyuk, simaishi, vparekh
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.9.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ui:flash_msg
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1475303 Environment:
Last Closed: 2018-04-18 10:15:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1475303    
Bug Blocks:    

Comment 2 CFME Bot 2017-12-04 22:24:09 UTC 
New commit detected on ManageIQ/manageiq-ui-classic/gaprindashvili:
https://github.com/ManageIQ/manageiq-ui-classic/commit/9be2979e786adc7654f1466109a4681c2555a053

commit 9be2979e786adc7654f1466109a4681c2555a053
Author:     Martin Hradil <himdel>
AuthorDate: Mon Dec 4 19:42:05 2017 +0000
Commit:     Satoe Imaishi <simaishi>
CommitDate: Mon Dec 4 17:12:09 2017 -0500

    Merge pull request #2924 from martinpovolny/flash_messages_session
    
    Provider forms: pass flash messages throught the session rather than url
    (cherry picked from commit a3831c9bfbf1ce0b2a69ac7b90543358a2ccd8d1)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1520669

 app/controllers/mixins/ems_common_angular.rb | 38 +++++++++++++---------------
 1 file changed, 17 insertions(+), 21 deletions(-)
Comment 3 Ruslana Babyuk 2018-01-03 13:10:57 UTC 
Hi,

I found some other places: add new key pair, infra provider/discover
Comment 4 Ruslana Babyuk 2018-01-16 12:38:18 UTC 
Hi,

This is also reproduced for deleting security groups:
Steps:
1. Add cloud provider
2. Navigate to Security Groups page
3. Delete one of the security groups
4. Check URL
Comment 5 Martin Povolny 2018-03-29 10:40:08 UTC 
Ruslana: please put finds (if any after the latest PR) into the master bug, not the one cloned for 5.9. Thx.


Fix for all the places I have been able to find is here:

https://github.com/ManageIQ/manageiq-ui-classic/pull/3643

I am unsure if we should backprot that to 5.9 given the amount of changes. I'd rather not do that.
Comment 6 Martin Povolny 2018-04-18 10:15:43 UTC 
Due to a high number of changes we will not fix this in 5.9. So closing this as won't fix.

BZ clone that is being fixed (6.0) is here: https://bugzilla.redhat.com/show_bug.cgi?id=1475303