Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Poorly escaped input value in run workflow form shows html snippet. #2230

Closed
hexylena opened this issue Apr 22, 2016 · 1 comment
Closed

Poorly escaped input value in run workflow form shows html snippet. #2230

hexylena opened this issue Apr 22, 2016 · 1 comment
Labels
area/UI-UX kind/bug
Milestone
16.07

Comments

@hexylena
Copy link
Member

utvalg_726

So...that's neat. On d7353d3. Not tested on dev yet, sorry.

So that happens because of this HTML snippet:

<input type="hidden" name="13442|tool_state" value="{"input": "{\"__class__\": \"RuntimeValue\"}", "__rerun_remap_job_id__": null, "header_lines": "\"0\"", "cond": "\"100 * c4 / c23 > 50\"", "__page__": 0}">

It's the filter tool and the filter I used was 100 * c4 / c23 > 50. The escaping job on value is somewhat suboptimal.
@hexylena hexylena added this to the 16.07 milestone Apr 22, 2016
@hexylena
Copy link
Member Author

Closing to decrease visibility, will follow up via email.

hexylena added a commit to hexylena/galaxy that referenced this issue Apr 22, 2016
@hexylena
Fixes galaxyproject#2230
7dcc7a5 
This sanitizes some instances where tool parameters were included
directly into the DOM.

workflow/run.mako displayed the parameter as a value in a hidden input.
This was base64 encoded as there was no better solution apparent at the
time. I'm not sure where this parameter is POSTed to but we should
figure that out and b64decode it, or remove the hidden parameter.

client/... added the parameter value into the DOM. This was easily
sanitized using a standard method.

workflow/display.mako included the parameter value directly into the
HTML. This was cgi.esacped
guerler added a commit that referenced this issue Apr 22, 2016
@guerler
Merge pull request #2231 from erasche/fix-2230
1243bd5 
Fixes #2230
martenson pushed a commit to martenson/galaxy that referenced this issue May 2, 2016
@hexylena @martenson
Fixes galaxyproject#2230
9290ddc 
This sanitizes some instances where tool parameters were included
directly into the DOM.

workflow/run.mako displayed the parameter as a value in a hidden input.
This was base64 encoded as there was no better solution apparent at the
time. I'm not sure where this parameter is POSTed to but we should
figure that out and b64decode it, or remove the hidden parameter.

client/... added the parameter value into the DOM. This was easily
sanitized using a standard method.

workflow/display.mako included the parameter value directly into the
HTML. This was cgi.esacped

Conflicts:
	static/scripts/bundled/libs.bundled.js.map
@martenson martenson mentioned this issue May 2, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/UI-UX kind/bug
Projects
None yet
Milestone
16.07
Development

No branches or pull requests
1 participant
@hexylena