Bug 546329 - systems/details/history/event.pxt would not quote HTML tags in event results field properly
systems/details/history/event.pxt would not quote HTML tags in event results...
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Milan Zazrivec
Red Hat Satellite QA List
Depends On:
Blocks: 462714
  Show dependency treegraph
Reported: 2009-12-10 11:51 EST by Milan Zazrivec
Modified: 2014-07-04 09:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-04 09:29:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milan Zazrivec 2009-12-10 11:51:23 EST
Description of problem:
In case a registered client would return part of HTML text in the action
result to the server, Systems / Events / History page won't be able to quote
HTML tags in the event result details field properly (as in the browser would
process this text as if it would be part of the page).

We should be more careful about the data that flows from client to
server and not to trust it blindly.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a following HTML file on your system registered to Satellite:

<body onload="document.CSRF.submit()">
<form name="CSRF" method="GET"

2. Schedule an action on your client from Satellite webui (run a remote
3. Make your client return this as a part of the action response:

</td></tr></table><iframe src="http://your.client.machine/your-page.html"><p><b>logged out</b></p></iframe>

4. Run the action from your client (rhn_check)
5. Visit the action result page

Actual results:
You will be logged out of your Satellite

Expected results:
Results will be rendered as an ordinary text (HTML tags will be quoted).

Additional info:
You can think of a more malicious scenarios (other than logging the user out).

Note You need to log in before you can comment on or make changes to this bug.