CVE-2016-8634 - Organization/location wizard may run stored XSS through alert
|Assigned To:||Tomer Brisker|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/3996|
|Velocity based estimate||-|
When creating an organization or location, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML.
This occurs in the alert box stating that "Assigning hosts to ... will also update ... to include all the resources that the selected hosts are currently using."
This may permit a stored XSS attack if an organization with HTML in its name was added, then a user was directed to the specific URL of the wizard. However there are no direct links back to the wizard, so ordinarily this would only affect the user who created the org/location.
Affects Foreman 1.1 and higher.
Reported by Sanket Jagtap to email@example.com.
Fixes #17195 - CVE-2016-8634 escape html in alert text
The alert helper used to mark the alert text as html_safe by default.
However, in some cases it may be possible for a user to enter custom
text into the alert message leading to a possible XSS vulnerability.
This patch changes this so that text is escaped unless expilicitly
marked as html_safe in the code.