978331 – html in changeset name and description

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 978331 - html in changeset name and description

Summary: html in changeset name and description

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Eric Helms
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-26 11:31 UTC by Ales Dujicek
Modified:	2019-09-26 13:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-04-24 17:07:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
screenshot (21.74 KB, image/png) 2013-10-16 08:46 UTC, Ales Dujicek	no flags	Details
html characters are correctly escaped in snap7 (19.38 KB, image/png) 2013-10-24 10:44 UTC, Sachin Ghai	no flags	Details
View All

Description Ales Dujicek 2013-06-26 11:31:47 UTC

Description of problem:

it is possible to add html to changeset name and description because it is not escaped

Version-Release number of selected component (if applicable):
katello-glue-elasticsearch-1.4.2-18.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-agent-1.4.3-1.git.1.24fe511.el6.noarch
signo-katello-0.0.19-1.el6sat.noarch
katello-configure-foreman-1.4.3-16.el6sat.noarch
katello-certs-tools-1.4.2-2.el6sat.noarch
katello-cli-1.4.2-8.el6sat.noarch
ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch
katello-common-1.4.2-18.el6sat.noarch
katello-1.4.2-18.el6sat.noarch
katello-foreman-all-1.4.2-18.el6sat.noarch
katello-qpid-client-key-pair-1.0-1.noarch
ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch
katello-configure-1.4.3-16.el6sat.noarch
katello-glue-candlepin-1.4.2-18.el6sat.noarch
katello-all-1.4.2-18.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch
katello-cli-common-1.4.2-8.el6sat.noarch
katello-selinux-1.4.3-3.el6sat.noarch
katello-glue-pulp-1.4.2-18.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch


How reproducible:
always

Steps to Reproduce:
1. UI: Content -> Changeset Management -> Changesets
2. click + New Changeset, fill name with html <script>alert("BAM");</script>


Additional info:
similar to https://bugzilla.redhat.com/show_bug.cgi?id=951231

Comment 1 RHEL Program Management 2013-09-17 04:25:00 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Eric Helms 2013-09-30 23:27:29 UTC

I am not clear as to what the actual issue you are reporting is. Is it:

A) The fact that you can input HTML characters into the name is an issue?
B) The fact that if you input HTML characters, those HTML characters do not show up unescaped to the user?

Comment 5 Ales Dujicek 2013-10-04 07:58:47 UTC

B) HTML characters are ok, but should be escaped

Comment 6 Eric Helms 2013-10-08 17:02:56 UTC

Tracking here -https://github.com/Katello/katello/pull/3124

Comment 9 Ales Dujicek 2013-10-16 08:46:25 UTC

Created attachment 812826 [details]
screenshot

Changeset details should be escaped too (see screenshot).

Comment 10 Eric Helms 2013-10-22 03:15:25 UTC

I disagree with this assessment. The values presented are exactly what the user entered and should be presented as such. We have prevented the XSS vulnerability by escaping the content as the content is included in the DOM and as a result you see the pure text. If the user wishes to create a name that includes "<h2>", I don't think we should be changing that to "&lt;h2&gt;" as it is unreadable and not what the user entered.

Comment 11 Ales Dujicek 2013-10-22 08:53:43 UTC

I agree with you.

But look at the screenshot again, please. The text under "Changeset Details" is not escaped. There is big "changeset name" but it should be normal text "<h2>changeset name</h2>" (as on top of image). And the same with description.

Comment 12 Eric Helms 2013-10-22 14:44:26 UTC

Ah ha, I completely missed that, my apologies. Thanks for pointing it out! I will get a fix in for that.

Comment 13 Eric Helms 2013-10-22 15:44:52 UTC

Tracking upstream fix here - https://github.com/Katello/katello/pull/3244

Comment 16 Sachin Ghai 2013-10-24 10:43:49 UTC

Verified with MDP2 Snap7, 

katello-all-1.4.6-47.el6sat.noarch
katello-cli-1.4.3-27.el6sat.noarch
katello-glue-pulp-1.4.6-47.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-selinux-1.4.4-4.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
pulp-katello-plugins-0.2-1.el6sat.noarch
katello-configure-foreman-1.4.7-7.el6sat.noarch
ruby193-rubygem-katello_api-0.0.3-4.el6sat.noarch
katello-glue-candlepin-1.4.6-47.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.12-3.el6sat.noarch
katello-foreman-all-1.4.6-47.el6sat.noarch
ruby193-rubygem-foreman-katello-engine-0.0.17-6.el6sat.noarch
katello-configure-1.4.7-7.el6sat.noarch
signo-katello-0.0.23-2.el6sat.noarch
katello-glue-elasticsearch-1.4.6-47.el6sat.noarch
katello-1.4.6-47.el6sat.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-common-1.4.6-47.el6sat.noarch
katello-certs-tools-1.4.4-1.el6sat.noarch
katello-cli-common-1.4.3-27.el6sat.noarch


Now html characters are correctly escaped for changeset name and description

Comment 17 Sachin Ghai 2013-10-24 10:44:58 UTC

Created attachment 815725 [details]
html characters are correctly escaped in snap7

Comment 18 Bryan Kearney 2014-04-24 17:07:18 UTC

This was verified and delivered with MDP2. Closing it out.

Note You need to log in before you can comment on or make changes to this bug.