Bug 1520669 - Text Injection possible
Summary: Text Injection possible
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
low
urgent
Target Milestone: GA
: 5.9.2
Assignee: Martin Povolny
QA Contact: Vatsal Parekh
URL:
Whiteboard: ui:flash_msg
Depends On: 1475303
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-04 22:14 UTC by Satoe Imaishi
Modified: 2018-04-18 10:15 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1475303
Environment:
Last Closed: 2018-04-18 10:15:43 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Comment 2 CFME Bot 2017-12-04 22:24:09 UTC
New commit detected on ManageIQ/manageiq-ui-classic/gaprindashvili:
https://github.com/ManageIQ/manageiq-ui-classic/commit/9be2979e786adc7654f1466109a4681c2555a053

commit 9be2979e786adc7654f1466109a4681c2555a053
Author:     Martin Hradil <himdel>
AuthorDate: Mon Dec 4 19:42:05 2017 +0000
Commit:     Satoe Imaishi <simaishi>
CommitDate: Mon Dec 4 17:12:09 2017 -0500

    Merge pull request #2924 from martinpovolny/flash_messages_session
    
    Provider forms: pass flash messages throught the session rather than url
    (cherry picked from commit a3831c9bfbf1ce0b2a69ac7b90543358a2ccd8d1)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1520669

 app/controllers/mixins/ems_common_angular.rb | 38 +++++++++++++---------------
 1 file changed, 17 insertions(+), 21 deletions(-)

Comment 3 Ruslana Babyuk 2018-01-03 13:10:57 UTC
Hi,

I found some other places: add new key pair, infra provider/discover

Comment 4 Ruslana Babyuk 2018-01-16 12:38:18 UTC
Hi,

This is also reproduced for deleting security groups:
Steps:
1. Add cloud provider
2. Navigate to Security Groups page
3. Delete one of the security groups
4. Check URL

Comment 5 Martin Povolny 2018-03-29 10:40:08 UTC
Ruslana: please put finds (if any after the latest PR) into the master bug, not the one cloned for 5.9. Thx.


Fix for all the places I have been able to find is here:

https://github.com/ManageIQ/manageiq-ui-classic/pull/3643

I am unsure if we should backprot that to 5.9 given the amount of changes. I'd rather not do that.

Comment 6 Martin Povolny 2018-04-18 10:15:43 UTC
Due to a high number of changes we will not fix this in 5.9. So closing this as won't fix.

BZ clone that is being fixed (6.0) is here: https://bugzilla.redhat.com/show_bug.cgi?id=1475303


Note You need to log in before you can comment on or make changes to this bug.