CVE-2018-16861 - toast notification sends strings through as HTML
If you call `Notification.setErrorMessage()` with a string that contains `<` and `>`, the string will get sent through to the browser and the browser will attempt to render it as HTML.
For example, it's possible to get Pulp to raise an error message like "The configuration parameter <foo> is not valid". This will display in the browser as "The configuration parameter is not valid".
It would be better if the notification escaped these strings so the "<>" is not lost.
Updated by John Mitsch about 5 years ago
Updated by Tomer Brisker about 5 years ago
- Found in Releases 1.16.0, 1.16.0-RC1, 1.16.0-RC2, 1.16.1, 1.16.2, 1.17.0, 1.17.0-RC1, 1.17.0-RC2, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18.0, 1.18.0-RC1, 1.18.0-RC2, 1.18.0-RC3, 1.18.1, 1.18.2, 1.19.0, 1.19.0-RC1, 1.19.0-RC2, 1.19.0-RC3 added
This was introduced in https://github.com/theforeman/foreman/commit/68cd4bba826df1e155445bf10a7fc2cb186c9d82 which is in 1.16.0 or newer. On the server side, when using the foreman core functions for toast notifications, the messages are escaped: https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/foreman/controller/flash.rb#L67 therefor this could only be exploited from creating a toast notification in a different manner.