Project

General

Profile

Bug #6858

HTML tags should be escaped when we update any parameter value under settings tab

Added by Dominic Cleal about 5 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Settings
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1125181
Description of problem:
I was trying to update parameter defined under settings tab and I was able to update it with HTML tags and those tags should be escaped properly.

For example, I updated 'administrator' parm value with :<a href="foo_bar">foo</a>

And UI shows me a link to 'foo'. Please see the screenshot.

Please note that UI doesn't escaped the HTML tags immediately after updating the value. But once you navigate away from settings page to other and get back then it will be escaped.

Version-Release number of selected component (if applicable):
sat6 GA snap1

How reproducible:
always

Steps to Reproduce:
1. pick any parameter which open a text box to update its value
2. edit the value with html tags like: <a href="foo_bar">foo</a>
3. save it

Actual results:
UI doesn't escaped the HTML tags immediately after updating the value. But once you navigate away from settings page to other and get back then it will be escaped.

Expected results:
HTML tags should be escaped as soon as you save the parameter value

Additional info:
similar issue with other parameter "email_reply_address"

Associated revisions

Revision e108822a (diff)
Added by Amir Fefer over 3 years ago

Fixes #6858 - escape HTML tags when update a parameter value in settings

Revision 42e29a0f (diff)
Added by Amir Fefer over 3 years ago

Fixes #6858 - escape HTML tags when update a parameter value in settings

(cherry picked from commit e108822a1a3ab567ea17d733754ccc9c9447dc8a)

History

#1 Updated by Dominic Cleal about 5 years ago

  • Category set to Settings

I don't believe this has a security impact, as it's only shown to the user that updates the value. The value gets escaped when it's rendered - including if it's updated via the API.

#2 Updated by Tom Caspy over 4 years ago

+1 on dominic's conclusion - there's no security issue here. I say we close this.

#3 Updated by Dominic Cleal over 4 years ago

It's valid, so it can stay open.

#4 Updated by Amir Fefer over 3 years ago

  • Assignee set to Amir Fefer

#5 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3264 added

#6 Updated by Amir Fefer over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) set to 141

Also available in: Atom PDF