1215030 – (CVE-2015-3162) HTML tags in recipe set comments are not escaped in the "edit comment" dialog

Bug 1215030 (CVE-2015-3162) - HTML tags in recipe set comments are not escaped in the "edit comment" dialog

Summary: HTML tags in recipe set comments are not escaped in the "edit comment" dialog

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2015-3162
Product:	Beaker
Classification:	Retired
Component:	general
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	20.1
Assignee:	Dan Callaghan
QA Contact:	tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1215894
TreeView+	depends on / blocked

Reported:	2015-04-24 07:23 UTC by Dan Callaghan
Modified:	2023-07-06 16:52 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-05-08 04:06:03 UTC
Embargoed:

Attachments	(Terms of Use)
proposed patch (3.90 KB, patch) 2015-04-29 07:22 UTC, Dan Callaghan	no flags	Details \| Diff
proposed patch v2 (5.24 KB, patch) 2015-05-04 07:51 UTC, Dan Callaghan	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	BKR-2941	0	None	None	None	2023-03-16 07:12:21 UTC

Description Dan Callaghan 2015-04-24 07:23:48 UTC

Description of problem:
The "edit comment" dialog on the job page does not escape HTML characters in the comment correctly after fetching it.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>
4. Refresh the job page, and click "comment" again

Actual results:
<script> is executed

Expected results:
HTML characters should be escaped in the comment value

Comment 1 Dan Callaghan 2015-04-29 07:22:36 UTC

Created attachment 1020005 [details]
proposed patch

Comment 4 Hui Wang 2015-05-04 07:16:40 UTC

Verified this issue.
The result is FAILED.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>

Result:
The script still be executed.

Comment 5 Dan Callaghan 2015-05-04 07:21:37 UTC

Ah yes, there is another one I missed... full steps to reproduce are:

1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment"
4. Click "edit" and change the comment to: <script>alert('xss')</script>, then click "save"
5. Refresh the job page
6. Click "comment"
7. Click "edit"

Script is executed.

Comment 6 Dan Callaghan 2015-05-04 07:51:17 UTC

Created attachment 1021565 [details]
proposed patch v2

This patch addresses the other missed escaping, in the edit comment dialog. (Sigh, that code makes me very sad.)

Comment 10 Hui Wang 2015-05-05 02:31:47 UTC

Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.fd65027

Comment 11 Dan Callaghan 2015-05-08 04:06:03 UTC

Beaker 20.1 has been released.

Comment 12 Timothy Sykes 2023-03-16 07:11:56 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 13 Timothy Sykes 2023-03-16 07:15:08 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 14 Drew Binsky 2023-03-17 02:20:18 UTC Comment hidden (spam)

My suggestion is that you should reset or review your comment settings https://ovo-game.com

Comment 15 emmausa 2023-06-27 07:24:02 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Comment 16 Timothy Ferriss 2023-07-06 08:22:18 UTC Comment hidden (spam)

This comment was flagged a spam, view the edit history to see the original text if required.

Note You need to log in before you can comment on or make changes to this bug.