Description of problem: The "edit comment" dialog on the job page does not escape HTML characters in the comment correctly after fetching it. Version-Release number of selected component (if applicable): probably all Beaker versions How reproducible: easily Steps to Reproduce: 1. Submit a job, then cancel it 2. On the job page, ack or nack your job 3. Click "comment" and edit the comment to be: <script>alert('xss')</script> 4. Refresh the job page, and click "comment" again Actual results: <script> is executed Expected results: HTML characters should be escaped in the comment value
Created attachment 1020005 [details] proposed patch
Verified this issue. The result is FAILED. Version: Beaker 20.1.git.5.24dc482 Steps to Reproduce: 1. Submit a job, then cancel it 2. On the job page, ack or nack your job 3. Click "comment" and edit the comment to be: <script>alert('xss')</script> Result: The script still be executed.
Ah yes, there is another one I missed... full steps to reproduce are: 1. Submit a job, then cancel it 2. On the job page, ack or nack your job 3. Click "comment" 4. Click "edit" and change the comment to: <script>alert('xss')</script>, then click "save" 5. Refresh the job page 6. Click "comment" 7. Click "edit" Script is executed.
Created attachment 1021565 [details] proposed patch v2 This patch addresses the other missed escaping, in the edit comment dialog. (Sigh, that code makes me very sad.)
Verified this issue. The result is PASS. Version: Beaker 20.1.git.5.fd65027
Beaker 20.1 has been released.
This comment was flagged a spam, view the edit history to see the original text if required.
My suggestion is that you should reset or review your comment settings https://ovo-game.com