HTML sanitizer for dashboard_info.js #5652
Comments
|
The sanitizer was added but it doesn't help to resolve the original issue, as |
|
Some software distributions apparently read the CVE text as in "bug existed only up to 0.13.x and is fixed on newer releases"... However, from the CVE text and also the contents of this issue, I understand that the security problem is still unfixed. Is that correct? |
|
issue #5800 probably should be reopened and linked to this one... Mentioning it here as well so that it is better cross-referenced in github. |
|
We should have written more here. We went into great detail regarding this and we really can't prevent it. It's why the statement "Snapshot files contain both data and javascript code. Make sure you trust the files you import!" is right next to the Import button. We can make the font bigger/use a different colour, or throw an alert each time, but not much more than that. The responsibility rests with the user to import a trusted file. |
|
That's a fair mitigation, I suppose. That information was just not easily to get to from a CVE search, which your reply just addressed. I will mention it also on #5800, since people coming from security trackers and web searches are likely to land there. Thanks! |
|
Much appreciated @hmh |
Feature idea summary
Use HTML sanitizer when loading dashboard_info.js to prevent https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9834
Expected behavior
Prevent HTML injection when importing a snapshot
The text was updated successfully, but these errors were encountered: