Bug 194515
| Summary: | Action message for creating group does not escape all characters. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Red Hat Network | Reporter: | Ken Ganong <kganong> | ||||||
| Component: | RHN/Web Site | Assignee: | Mike McCune <mmccune> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | rhn420 | CC: | cperry, rhn-bugs | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-10-05 09:27:42 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 165365 | ||||||||
| Attachments: |
|
||||||||
Created attachment 130769 [details]
sad results
Reassigning a bunch of my bugs to mmccune so they aren't forgotten. Created attachment 622061 [details]
Showing that today in Satellite, we are much more sane
Reviewing the current 5.5 Satellite behavior I would say that this is now resolved. We will remove < > chars, and otherwise, display and use the crazy chars for system group names without issue. This is same for many area's of the UI we have fixed over the past couple of years for correctly escaping and filtering chars, etc to prevent cross-site scripting and other potential attacks.
Cliff
|
To recreate / testplan: 1. Login 2. Go to system groups page 3. Click to create a group. 4. put in a group name with lots of strange characters, Here's two fun ones: !@#$%^ < !@">#&$% 5. See the ugliness. Actual results: The Action message includes only part of the group name. Expected results: The Action message contains the entire group name displayed correctly. Also verify that the rest of the page has valid and sensible html.