Created attachment 1242918 [details] example 1 Description of problem: The Catalog Item Long Description field in the admin UI accepts raw HTML, but unlike the Self-Service UI, the HTML is not sanitized. This allows the user to use <style> tags that are honored in the rest of the UI. Version-Release number of selected component (if applicable): 5.7.0.17.20161219135818_725f92f How reproducible: 100% Steps to Reproduce: 1. Add a Long Description with a style tag that applies to an existing element. Something like: span {text-shadow: -5px 0 HotPink, 0 5px HotPink, 5px 0 HotPink, 0 -1px HotPink;} does the trick nicely. 2. Save the catalog item and look at the UI Actual results: Results range from concerning to mildly entertaining, depending on your perspective. Screenshots attached. Expected results: Like the SSUI, the admin UI should sanitize the HTML code to ensure that core elements are not impacted by the Long Description. Additional info: Screenshots attached.
Created attachment 1242919 [details] example 2
Created attachment 1242920 [details] example 3
Created attachment 1242921 [details] example 4
Work around exists we believe, use </br> tags, thus reducing severity
https://github.com/ManageIQ/manageiq-ui-classic/pull/275
New commit detected on ManageIQ/manageiq-ui-classic/master: https://github.com/ManageIQ/manageiq-ui-classic/commit/cd9e943e55582ab788892621c6f5497b56c27aa6 commit cd9e943e55582ab788892621c6f5497b56c27aa6 Author: Martin Hradil <mhradil> AuthorDate: Mon Jan 30 15:25:03 2017 +0000 Commit: Martin Hradil <mhradil> CommitDate: Wed Feb 1 03:53:38 2017 +0000 ServiceTemplate.long_description - always display html-sanitized prevents `<script>` and `<style>` elements in the description from breaking the UI in random ways https://bugzilla.redhat.com/show_bug.cgi?id=1415235 app/views/catalog/_sandt_tree_show.html.haml | 6 ++++-- app/views/catalog/_svccat_tree_show.html.haml | 10 +++++++--- 2 files changed, 11 insertions(+), 5 deletions(-)
Verified that like the SSUI, the admin UI able to sanitize the HTML code which is not impacting core elements by the Long Description. Verified Version: 5.8.0.10-beta1.20170411212748_e47d319