Project

General

Profile

Actions
Copy link

Bug #24834

closed

Fact names and values are not displayed properly

Added by Marek Hulán over 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
b sh
Category:
Facts
Target version:
1.22.0
Difficulty:
Triaged:
No
Bugzilla link:
1625611
Pull request:
https://github.com/theforeman/foreman/pull/6136
Fixed in Releases:
1.22.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1625611

Description of problem:

If you upload Host Facts that contain characters like <>"&

  1. curl -u admin:changeme -k https://localhost/api/v2/hosts/facts -d '{"name": "facthost", "facts": {"name; <>\"&": "value; <>\"&", "operatingsystem": "RedHat", "operatingsystemrelease": "6.12"}}' -H 'Content-Type: application/json'

They are not displayed properly in UI

1. Monitor > Facts (/fact_values)

fact name is double escaped in the table

facthost name <>"& value <>"&

2. Monitor > Facts (/fact_values)

links in Name and Value columns points to not valid searches

3. Monitor > Facts > View Chart

fact names and values are double escaped in the charts

4. Monitor > Trends
values are escaped twice in graphs in Trends

Version-Release number of selected component (if applicable):
Satellite 6.4 snap 20
satellite-6.4.0-13.el7sat.noarch
katello-3.7.0-5.el7sat.noarch
foreman-1.18.0.18-1.el7sat.noarch

Additional info:
bz 1509442 cooment 5

Related issues 3 (0 open3 closed)

Related to Foreman - Bug #21519: CVE-2017-15100: Stored XSS in fact name or valueClosedTomer Brisker10/31/2017Actions
Related to Foreman - Refactor #25952: Unused function escaped_warning_chart_contextClosedboaz shustActions
Related to Foreman - Bug #27382: Facts are double escaped in facts charts legendClosedOndřej EzrActions
Actions
Copy link

Also available in: Atom PDF