Project

General

Profile

Actions
Copy link

Bug #24807

closed

CVE-2018-16861 - toast notification sends strings through as HTML

Added by Chris Duryee over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Avi Sharvit
Category:
Security
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
1652785
Pull request:
https://github.com/theforeman/foreman/pull/6041, https://github.com/theforeman/foreman/pull/6060
Fixed in Releases:
1.18.3, 1.19.1, 1.20.0
Found in Releases:
1.16.0, 1.16.0-RC1, 1.16.0-RC2, 1.16.1, 1.16.2, 1.17.0, 1.17.0-RC1, 1.17.0-RC2, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.18.0, 1.18.0-RC1, 1.18.0-RC2, 1.18.0-RC3, 1.18.1, 1.18.2, 1.19.0, 1.19.0-RC1, 1.19.0-RC2, 1.19.0-RC3
Red Hat JIRA:

Description

If you call `Notification.setErrorMessage()` with a string that contains `<` and `>`, the string will get sent through to the browser and the browser will attempt to render it as HTML.

For example, it's possible to get Pulp to raise an error message like "The configuration parameter <foo> is not valid". This will display in the browser as "The configuration parameter is not valid".

It would be better if the notification escaped these strings so the "<>" is not lost.

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #25230: compute resource test connection is html incorrectly escapedClosedTomer BriskerActions
Actions
Copy link

Also available in: Atom PDF