Foreman form helpers do not escape JS when rendering label
|Assigned To:||Marek Hulán|
|Target version:||Team Marek Iteration 1|
|Found in release:||1.6.0||Pull request:||https://github.com/theforeman/foreman/pull/3715|
|Velocity based estimate||-|
The issue was introduced in Foreman 1.6. There's only one dynamic
:label => in Foreman that uses MailNotification name which we don't allow users to modify so there's no vulnerable code in Foreman. But remote execution plugin that rely on this label to be escaped. Setting to 1.12.2, feel free to reset. For REX this is pretty important though.