Bug 1415235 - Catalog Item Long Descriptions allow the user to override UI styling
Summary: Catalog Item Long Descriptions allow the user to override UI styling
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.8.0
Assignee: Martin Hradil
QA Contact: Satyajit Bulage
URL:
Whiteboard: service:catalog
Depends On:
Blocks: 1419694
TreeView+ depends on / blocked
 
Reported: 2017-01-20 16:09 UTC by Krain Arnold
Modified: 2017-06-12 16:21 UTC (History)
8 users (show)

Fixed In Version: 5.8.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1419694 (view as bug list)
Environment:
Last Closed: 2017-06-12 16:21:35 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)
example 1 (339.42 KB, image/png)
2017-01-20 16:09 UTC, Krain Arnold
no flags Details
example 2 (303.87 KB, image/png)
2017-01-20 16:10 UTC, Krain Arnold
no flags Details
example 3 (353.15 KB, image/png)
2017-01-20 16:10 UTC, Krain Arnold
no flags Details
example 4 (449.83 KB, image/png)
2017-01-20 16:11 UTC, Krain Arnold
no flags Details

Description Krain Arnold 2017-01-20 16:09:37 UTC
Created attachment 1242918 [details]
example 1

Description of problem:
The Catalog Item Long Description field in the admin UI accepts raw HTML, but unlike the Self-Service UI, the HTML is not sanitized. This allows the user to use <style> tags that are honored in the rest of the UI. 

Version-Release number of selected component (if applicable):
5.7.0.17.20161219135818_725f92f

How reproducible:
100%

Steps to Reproduce:
1. Add a Long Description with a style tag that applies to an existing element. Something like: span {text-shadow: -5px 0 HotPink, 0 5px HotPink, 5px 0 HotPink, 0 -1px HotPink;} does the trick nicely.
2. Save the catalog item and look at the UI

Actual results:
Results range from concerning to mildly entertaining, depending on your perspective. Screenshots attached.

Expected results:
Like the SSUI, the admin UI should sanitize the HTML code to ensure that core elements are not impacted by the Long Description.

Additional info:
Screenshots attached.

Comment 2 Krain Arnold 2017-01-20 16:10:24 UTC
Created attachment 1242919 [details]
example 2

Comment 3 Krain Arnold 2017-01-20 16:10:58 UTC
Created attachment 1242920 [details]
example 3

Comment 4 Krain Arnold 2017-01-20 16:11:28 UTC
Created attachment 1242921 [details]
example 4

Comment 6 Dave Johnson 2017-01-27 00:33:29 UTC
Work around exists we believe, use </br> tags, thus reducing severity

Comment 10 CFME Bot 2017-02-06 14:12:42 UTC
New commit detected on ManageIQ/manageiq-ui-classic/master:
https://github.com/ManageIQ/manageiq-ui-classic/commit/cd9e943e55582ab788892621c6f5497b56c27aa6

commit cd9e943e55582ab788892621c6f5497b56c27aa6
Author:     Martin Hradil <mhradil@redhat.com>
AuthorDate: Mon Jan 30 15:25:03 2017 +0000
Commit:     Martin Hradil <mhradil@redhat.com>
CommitDate: Wed Feb 1 03:53:38 2017 +0000

    ServiceTemplate.long_description - always display html-sanitized
    
    prevents `<script>` and `<style>` elements in the description from breaking the UI in random ways
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1415235

 app/views/catalog/_sandt_tree_show.html.haml  |  6 ++++--
 app/views/catalog/_svccat_tree_show.html.haml | 10 +++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

Comment 12 Satyajit Bulage 2017-04-18 08:46:58 UTC
Verified that like the SSUI, the admin UI able to sanitize the HTML code which is not impacting core elements by the Long Description.

Verified Version: 5.8.0.10-beta1.20170411212748_e47d319


Note You need to log in before you can comment on or make changes to this bug.