Bug 978331 - html in changeset name and description
html in changeset name and description
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 6
Classification: Red Hat
Component: WebUI (Show other bugs)
Nightly
Unspecified Unspecified
unspecified Severity medium (vote)
: Unspecified
: --
Assigned To: Eric Helms
Katello QA List
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-26 07:31 EDT by Ales Dujicek
Modified: 2014-04-24 13:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-24 13:07:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot (21.74 KB, image/png)
2013-10-16 04:46 EDT, Ales Dujicek
no flags Details
html characters are correctly escaped in snap7 (19.38 KB, image/png)
2013-10-24 06:44 EDT, Sachin Ghai
no flags Details

  None (edit)
Description Ales Dujicek 2013-06-26 07:31:47 EDT
Description of problem:

it is possible to add html to changeset name and description because it is not escaped

Version-Release number of selected component (if applicable):
katello-glue-elasticsearch-1.4.2-18.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-agent-1.4.3-1.git.1.24fe511.el6.noarch
signo-katello-0.0.19-1.el6sat.noarch
katello-configure-foreman-1.4.3-16.el6sat.noarch
katello-certs-tools-1.4.2-2.el6sat.noarch
katello-cli-1.4.2-8.el6sat.noarch
ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch
katello-common-1.4.2-18.el6sat.noarch
katello-1.4.2-18.el6sat.noarch
katello-foreman-all-1.4.2-18.el6sat.noarch
katello-qpid-client-key-pair-1.0-1.noarch
ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch
katello-configure-1.4.3-16.el6sat.noarch
katello-glue-candlepin-1.4.2-18.el6sat.noarch
katello-all-1.4.2-18.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch
katello-cli-common-1.4.2-8.el6sat.noarch
katello-selinux-1.4.3-3.el6sat.noarch
katello-glue-pulp-1.4.2-18.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch


How reproducible:
always

Steps to Reproduce:
1. UI: Content -> Changeset Management -> Changesets
2. click + New Changeset, fill name with html <script>alert("BAM");</script>


Additional info:
similar to https://bugzilla.redhat.com/show_bug.cgi?id=951231
Comment 1 RHEL Product and Program Management 2013-09-17 00:25:00 EDT
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Eric Helms 2013-09-30 19:27:29 EDT
I am not clear as to what the actual issue you are reporting is. Is it:

A) The fact that you can input HTML characters into the name is an issue?
B) The fact that if you input HTML characters, those HTML characters do not show up unescaped to the user?
Comment 5 Ales Dujicek 2013-10-04 03:58:47 EDT
B) HTML characters are ok, but should be escaped
Comment 6 Eric Helms 2013-10-08 13:02:56 EDT
Tracking here -https://github.com/Katello/katello/pull/3124
Comment 9 Ales Dujicek 2013-10-16 04:46:25 EDT
Created attachment 812826 [details]
screenshot

Changeset details should be escaped too (see screenshot).
Comment 10 Eric Helms 2013-10-21 23:15:25 EDT
I disagree with this assessment. The values presented are exactly what the user entered and should be presented as such. We have prevented the XSS vulnerability by escaping the content as the content is included in the DOM and as a result you see the pure text. If the user wishes to create a name that includes "<h2>", I don't think we should be changing that to "&lt;h2&gt;" as it is unreadable and not what the user entered.
Comment 11 Ales Dujicek 2013-10-22 04:53:43 EDT
I agree with you.

But look at the screenshot again, please. The text under "Changeset Details" is not escaped. There is big "changeset name" but it should be normal text "<h2>changeset name</h2>" (as on top of image). And the same with description.
Comment 12 Eric Helms 2013-10-22 10:44:26 EDT
Ah ha, I completely missed that, my apologies. Thanks for pointing it out! I will get a fix in for that.
Comment 13 Eric Helms 2013-10-22 11:44:52 EDT
Tracking upstream fix here - https://github.com/Katello/katello/pull/3244
Comment 16 Sachin Ghai 2013-10-24 06:43:49 EDT
Verified with MDP2 Snap7, 

katello-all-1.4.6-47.el6sat.noarch
katello-cli-1.4.3-27.el6sat.noarch
katello-glue-pulp-1.4.6-47.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-selinux-1.4.4-4.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
pulp-katello-plugins-0.2-1.el6sat.noarch
katello-configure-foreman-1.4.7-7.el6sat.noarch
ruby193-rubygem-katello_api-0.0.3-4.el6sat.noarch
katello-glue-candlepin-1.4.6-47.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.12-3.el6sat.noarch
katello-foreman-all-1.4.6-47.el6sat.noarch
ruby193-rubygem-foreman-katello-engine-0.0.17-6.el6sat.noarch
katello-configure-1.4.7-7.el6sat.noarch
signo-katello-0.0.23-2.el6sat.noarch
katello-glue-elasticsearch-1.4.6-47.el6sat.noarch
katello-1.4.6-47.el6sat.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-common-1.4.6-47.el6sat.noarch
katello-certs-tools-1.4.4-1.el6sat.noarch
katello-cli-common-1.4.3-27.el6sat.noarch


Now html characters are correctly escaped for changeset name and description
Comment 17 Sachin Ghai 2013-10-24 06:44:58 EDT
Created attachment 815725 [details]
html characters are correctly escaped in snap7
Comment 18 Bryan Kearney 2014-04-24 13:07:18 EDT
This was verified and delivered with MDP2. Closing it out.

Note You need to log in before you can comment on or make changes to this bug.