Project

General

Profile

Actions

Bug #24834

closed

Fact names and values are not displayed properly

Added by Marek Hulán almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Facts
Target version:
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1625611

Description of problem:

If you upload Host Facts that contain characters like <>"&

  1. curl -u admin:changeme -k https://localhost/api/v2/hosts/facts -d '{"name": "facthost", "facts": {"name; <>\"&": "value; <>\"&", "operatingsystem": "RedHat", "operatingsystemrelease": "6.12"}}' -H 'Content-Type: application/json'

They are not displayed properly in UI

1. Monitor > Facts (/fact_values)

fact name is double escaped in the table

facthost name <>"& value <>"&

2. Monitor > Facts (/fact_values)

links in Name and Value columns points to not valid searches

3. Monitor > Facts > View Chart

fact names and values are double escaped in the charts

4. Monitor > Trends
values are escaped twice in graphs in Trends

Version-Release number of selected component (if applicable):
Satellite 6.4 snap 20
satellite-6.4.0-13.el7sat.noarch
katello-3.7.0-5.el7sat.noarch
foreman-1.18.0.18-1.el7sat.noarch

Additional info:
bz 1509442 cooment 5


Related issues 3 (0 open3 closed)

Related to Foreman - Bug #21519: CVE-2017-15100: Stored XSS in fact name or valueClosedTomer Brisker10/31/2017Actions
Related to Foreman - Refactor #25952: Unused function escaped_warning_chart_contextClosedboaz shustActions
Related to Foreman - Bug #27382: Facts are double escaped in facts charts legendClosedOndřej EzrActions
Actions #1

Updated by Marek Hulán almost 6 years ago

  • Related to Bug #21519: CVE-2017-15100: Stored XSS in fact name or value added
Actions #2

Updated by The Foreman Bot over 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/6136 added
Actions #3

Updated by The Foreman Bot over 5 years ago

  • Assignee set to b sh
Actions #4

Updated by Ohad Levy over 5 years ago

  • Subject changed from Fact names and values are not displayed properly to Fact names and values are not displayed properly
  • Target version set to 1.22.0
  • Fixed in Releases 1.22.0 added
Actions #5

Updated by Anonymous over 5 years ago

  • Status changed from Ready For Testing to Closed
Actions #6

Updated by Tomer Brisker about 5 years ago

  • Related to Refactor #25952: Unused function escaped_warning_chart_context added
Actions #7

Updated by Marek Hulán almost 5 years ago

  • Related to Bug #27382: Facts are double escaped in facts charts legend added
Actions

Also available in: Atom PDF