Project

General

Profile

Bug #24834

Fact names and values are not displayed properly

Added by Marek Hulán about 1 year ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Facts
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1625611

Description of problem:

If you upload Host Facts that contain characters like <>"&

  1. curl -u admin:changeme -k https://localhost/api/v2/hosts/facts -d '{"name": "facthost", "facts": {"name; <>\"&": "value; <>\"&", "operatingsystem": "RedHat", "operatingsystemrelease": "6.12"}}' -H 'Content-Type: application/json'

They are not displayed properly in UI

1. Monitor > Facts (/fact_values)

fact name is double escaped in the table

facthost name <>"& value <>"&

2. Monitor > Facts (/fact_values)

links in Name and Value columns points to not valid searches

3. Monitor > Facts > View Chart

fact names and values are double escaped in the charts

4. Monitor > Trends
values are escaped twice in graphs in Trends

Version-Release number of selected component (if applicable):
Satellite 6.4 snap 20
satellite-6.4.0-13.el7sat.noarch
katello-3.7.0-5.el7sat.noarch
foreman-1.18.0.18-1.el7sat.noarch

Additional info:
bz 1509442 cooment 5


Related issues

Related to Foreman - Bug #21519: CVE-2017-15100: Stored XSS in fact name or valueClosed2017-10-31
Related to Foreman - Refactor #25952: Unused function escaped_warning_chart_contextClosed
Related to Foreman - Bug #27382: Facts are double escaped in facts charts legendClosed

Associated revisions

Revision e806152b (diff)
Added by Boaz Shuster 9 months ago

Fixes #24834 - HTML-escape fact name only once

Signed-off-by: Boaz Shuster <>

History

#1 Updated by Marek Hulán about 1 year ago

  • Related to Bug #21519: CVE-2017-15100: Stored XSS in fact name or value added

#2 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/6136 added

#3 Updated by The Foreman Bot 9 months ago

  • Assignee set to b sh

#4 Updated by Ohad Levy 9 months ago

  • Target version set to 1.22.0
  • Subject changed from Fact names and values are not displayed properly to Fact names and values are not displayed properly
  • Fixed in Releases 1.22.0 added

#5 Updated by Anonymous 9 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Tomer Brisker 6 months ago

  • Related to Refactor #25952: Unused function escaped_warning_chart_context added

#7 Updated by Marek Hulán 3 months ago

  • Related to Bug #27382: Facts are double escaped in facts charts legend added

Also available in: Atom PDF