Bug 978331
| Summary: | html in changeset name and description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Ales Dujicek <adujicek> | ||||||
| Component: | WebUI | Assignee: | Eric Helms <ehelms> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | Nightly | CC: | adujicek, cwelton, ehelms, jmontleo, sghai | ||||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||||
| Target Release: | Unused | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-04-24 17:07:18 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. I am not clear as to what the actual issue you are reporting is. Is it: A) The fact that you can input HTML characters into the name is an issue? B) The fact that if you input HTML characters, those HTML characters do not show up unescaped to the user? B) HTML characters are ok, but should be escaped Tracking here -https://github.com/Katello/katello/pull/3124 Created attachment 812826 [details]
screenshot
Changeset details should be escaped too (see screenshot).
I disagree with this assessment. The values presented are exactly what the user entered and should be presented as such. We have prevented the XSS vulnerability by escaping the content as the content is included in the DOM and as a result you see the pure text. If the user wishes to create a name that includes "<h2>", I don't think we should be changing that to "<h2>" as it is unreadable and not what the user entered. I agree with you. But look at the screenshot again, please. The text under "Changeset Details" is not escaped. There is big "changeset name" but it should be normal text "<h2>changeset name</h2>" (as on top of image). And the same with description. Ah ha, I completely missed that, my apologies. Thanks for pointing it out! I will get a fix in for that. Tracking upstream fix here - https://github.com/Katello/katello/pull/3244 Verified with MDP2 Snap7, katello-all-1.4.6-47.el6sat.noarch katello-cli-1.4.3-27.el6sat.noarch katello-glue-pulp-1.4.6-47.el6sat.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-selinux-1.4.4-4.el6sat.noarch katello-candlepin-cert-key-pair-1.0-1.noarch pulp-katello-plugins-0.2-1.el6sat.noarch katello-configure-foreman-1.4.7-7.el6sat.noarch ruby193-rubygem-katello_api-0.0.3-4.el6sat.noarch katello-glue-candlepin-1.4.6-47.el6sat.noarch ruby193-rubygem-katello-foreman-engine-0.0.12-3.el6sat.noarch katello-foreman-all-1.4.6-47.el6sat.noarch ruby193-rubygem-foreman-katello-engine-0.0.17-6.el6sat.noarch katello-configure-1.4.7-7.el6sat.noarch signo-katello-0.0.23-2.el6sat.noarch katello-glue-elasticsearch-1.4.6-47.el6sat.noarch katello-1.4.6-47.el6sat.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-common-1.4.6-47.el6sat.noarch katello-certs-tools-1.4.4-1.el6sat.noarch katello-cli-common-1.4.3-27.el6sat.noarch Now html characters are correctly escaped for changeset name and description Created attachment 815725 [details]
html characters are correctly escaped in snap7
This was verified and delivered with MDP2. Closing it out. |
Description of problem: it is possible to add html to changeset name and description because it is not escaped Version-Release number of selected component (if applicable): katello-glue-elasticsearch-1.4.2-18.el6sat.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-agent-1.4.3-1.git.1.24fe511.el6.noarch signo-katello-0.0.19-1.el6sat.noarch katello-configure-foreman-1.4.3-16.el6sat.noarch katello-certs-tools-1.4.2-2.el6sat.noarch katello-cli-1.4.2-8.el6sat.noarch ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch katello-common-1.4.2-18.el6sat.noarch katello-1.4.2-18.el6sat.noarch katello-foreman-all-1.4.2-18.el6sat.noarch katello-qpid-client-key-pair-1.0-1.noarch ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch katello-configure-1.4.3-16.el6sat.noarch katello-glue-candlepin-1.4.2-18.el6sat.noarch katello-all-1.4.2-18.el6sat.noarch ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch katello-cli-common-1.4.2-8.el6sat.noarch katello-selinux-1.4.3-3.el6sat.noarch katello-glue-pulp-1.4.2-18.el6sat.noarch katello-qpid-broker-key-pair-1.0-1.noarch How reproducible: always Steps to Reproduce: 1. UI: Content -> Changeset Management -> Changesets 2. click + New Changeset, fill name with html <script>alert("BAM");</script> Additional info: similar to https://bugzilla.redhat.com/show_bug.cgi?id=951231