Bug 1125181 - HTML tags should be escaped when we update any parameter value under settings tab
Summary: HTML tags should be escaped when we update any parameter value under settings...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Settings
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Ohad Levy
QA Contact: Corey Welton
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 09:15 UTC by Sachin Ghai
Modified: 2019-04-01 20:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 08:43:17 UTC


Attachments (Terms of Use)
HTML tags properly escaped when updating parameter under settings tab. (84.91 KB, image/png)
2016-05-29 13:21 UTC, Gail Steiger
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC
Foreman Issue Tracker 6858 None None None 2016-04-22 15:35:55 UTC

Comment 1 Dominic Cleal 2014-07-31 09:27:10 UTC
I don't think this has any security implications, but in future, please treat HTML escaping issues as having a potential security (XSS) impact and allow us to evaluate them first.

Ideal procedure is to mark the bug as private for the security team and for Foreman issues, e-mail foreman-security@googlegroups.com (http://theforeman.org/security.html).  We'll check it out and then handle appropriately.  Thanks.

Comment 2 Dominic Cleal 2014-07-31 09:28:14 UTC
Created redmine issue http://projects.theforeman.org/issues/6858 from this bug

Comment 5 Bryan Kearney 2015-08-25 17:59:42 UTC
Upstream bug component is Provisioning

Comment 6 Bryan Kearney 2015-09-02 17:23:06 UTC
Upstream bug component is Settings

Comment 7 Bryan Kearney 2016-03-06 09:10:19 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/6858 has been closed
-------------
Amir Fefer
Applied in changeset commit:e108822a1a3ab567ea17d733754ccc9c9447dc8a.

Comment 10 Gail Steiger 2016-05-29 13:21:53 UTC
Created attachment 1162621 [details]
HTML tags properly escaped when updating parameter under settings tab.

Comment 12 errata-xmlrpc 2016-07-27 08:43:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500


Note You need to log in before you can comment on or make changes to this bug.