Created attachment 770830 [details] html in permission description Description of problem: html in permission description is not escaped Version-Release number of selected component (if applicable): katello-1.4.2-18.el6sat.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-agent-1.4.3-1.git.1.24fe511.el6.noarch katello-certs-tools-1.4.2-2.el6sat.noarch katello-configure-1.4.3-16.el6sat.noarch katello-glue-pulp-1.4.2-18.el6sat.noarch katello-all-1.4.2-18.el6sat.noarch katello-cli-common-1.4.2-8.el6sat.noarch ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch signo-katello-0.0.19-1.el6sat.noarch katello-glue-elasticsearch-1.4.2-18.el6sat.noarch katello-configure-foreman-1.4.3-16.el6sat.noarch katello-foreman-all-1.4.2-18.el6sat.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-cli-1.4.2-8.el6sat.noarch ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch katello-common-1.4.2-18.el6sat.noarch katello-selinux-1.4.3-3.el6sat.noarch katello-glue-candlepin-1.4.2-18.el6sat.noarch ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch katello-qpid-broker-key-pair-1.0-1.noarch How reproducible: always Steps to Reproduce: 1. Administer > Roles > select role 2. Permissions > Global permissions > Add permission 3. choose any scope etc., fill html like <script>alert('foo');</script> or <h2>ht<font color=red>ml</font> !!</h2> to description 4. open permission details Actual results: Expected results: Additional info:
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Fix available as of 0860e230be29ee26a6b4657ecf0bb886f684937e
Verified. katello-all-1.4.6-39.el6sat.noarch katello-selinux-1.4.4-4.el6sat.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-1.4.6-39.el6sat.noarch signo-katello-0.0.22-2.el6sat.noarch katello-configure-foreman-proxy-1.4.7-5.el6sat.noarch katello-glue-candlepin-1.4.6-39.el6sat.noarch katello-glue-pulp-1.4.6-39.el6sat.noarch katello-cli-common-1.4.3-24.el6sat.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-configure-1.4.7-5.el6sat.noarch katello-glue-elasticsearch-1.4.6-39.el6sat.noarch katello-configure-foreman-1.4.7-5.el6sat.noarch katello-foreman-all-1.4.6-39.el6sat.noarch pulp-katello-plugins-0.2-1.el6sat.noarch ruby193-rubygem-foreman-katello-engine-0.0.17-6.el6sat.noarch ruby193-rubygem-katello-foreman-engine-0.0.11-3.el6sat.noarch ruby193-rubygem-katello_api-0.0.3-4.el6sat.noarch katello-common-1.4.6-39.el6sat.noarch katello-cli-1.4.3-24.el6sat.noarch katello-certs-tools-1.4.4-1.el6sat.noarch katello-qpid-client-key-pair-1.0-1.noarch
This was verified and delivered with MDP2. Closing it out.
This was delivered and verified with MDP2. Closing the bug.