Description of problem: In case a registered client would return part of HTML text in the action result to the server, Systems / Events / History page won't be able to quote HTML tags in the event result details field properly (as in the browser would process this text as if it would be part of the page). We should be more careful about the data that flows from client to server and not to trust it blindly. Version-Release number of selected component (if applicable): spacewalk-web-0.5.23-28 How reproducible: Always Steps to Reproduce: 1. Create a following HTML file on your system registered to Satellite: <body onload="document.CSRF.submit()"> <form name="CSRF" method="GET" action="https://your.satellite.org/rhn/Logout.do" style="display:none"> </form> </body> 2. Schedule an action on your client from Satellite webui (run a remote command) 3. Make your client return this as a part of the action response: </td></tr></table><iframe src="http://your.client.machine/your-page.html"><p><b>logged out</b></p></iframe> 4. Run the action from your client (rhn_check) 5. Visit the action result page Actual results: You will be logged out of your Satellite Expected results: Results will be rendered as an ordinary text (HTML tags will be quoted). Additional info: You can think of a more malicious scenarios (other than logging the user out).