Fix bug 1388043

[benjaminapetersen]

@jwforres @spadgett

Fix bugzilla #1388043 link and #1388017 link
Fixes overly aggressive escaping to ensure error messages are readable. Example:

[spadgett]

We shouldn't keep some plain text messages and some HTML markup messages in the same messages object. It's going to get too confusing to know when the message needs to be escaped. I'd create separate messages objects for alerts / html dialog messages. Or simply inline the messages.

[benjaminapetersen]

That seems reasonable. I def prefer not going back to inline, I'd rather keep making steps to getting the alert handling in a service, probably the text string templates in another service.

[spadgett]

At some point, we'll need a message catalog for translation. If we really want to pull the messages out of the controllers anyway, we should start using the format we'll eventually need for translation. But let's not worry about that for this PR.

[benjaminapetersen]

Here is the difference, for reference:

Escaping error messages from server:

Not escaping messages from server:

[spadgett]

Sure, we only want to HTML escape messages that will be passed as detailsMarkup to the dialog. But I have no way to know which is which just looking at the messages object with no context.

[spadgett]

Note that the getErrorDetails filter is not guaranteed to return anything, so in some cases this could show Reason: with no content following it.

[benjaminapetersen]

@spadgett updated, split into escaped and unescaped message sets.

[spadgett]

Won't this double escape subjectName (here and repeated below)?

[spadgett]

(You won't see this problem in the UI unless subjectName has special characters.)

[benjaminapetersen]

Ah, true, removing the _.escape( on these as redundant.
Though, even just with the template escape sequence <<<bar still appears as:

[spadgett]

Right, we shouldn't HTML escape anything going into the alerts. Just messages passed as detailsMarkup to the dialog.

[benjaminapetersen]

Just to make sure I'm with you, alerts still get user input text, I'm just removing the _.escape() in favor of using <%- in the templates, separating out the one template that processes server response with <%= (I could see this one being inline but would rather be consistent at this point).

[spadgett]

Any template that will display a plain text message in an alert should use <%=.

Any template that will display HTML content in a dialog should use <%- to escape the HTML. The only time you need this is if you use ng-bind-html like in the dialog.

You shouldn't need to use _.escape anywhere if you use <%- for the HTML messages.

[spadgett]

This still doesn't seem right. The alerts should not have any escaped messages. Only dialogs.

[benjaminapetersen]

The alerts can still have text from user input, not just the dialogs.

[benjaminapetersen]

"Bob" was given the role "view". "Bob" needs to be escaped, correct?

[spadgett]

"Bob" was given the role "view". "Bob" needs to be escaped, correct?

No, Angular will escape any special characters you have in the string since the alerts use angular expressions.

https://github.com/openshift/origin-web-console/blob/master/app/views/_alerts.html#L22

We only need to escape values that we pass to ng-bind-html in the dialog.

[benjaminapetersen]

Ok I can update this. Something about it still bothers me, looking at the docs:

ngBindHTML:

Evaluates the expression and inserts the resulting HTML into the element in a secure way. By default, the resulting HTML content will be sanitized using the $sanitize service.

$sanitize:

Sanitizes an html string by stripping all potentially dangerous tokens.

[spadgett]

It sounds like they strip things like <script> tags from the content, which is good. But if you have a user name with special characters like < and &, I suspect it won't render correctly.

[spadgett]

Maybe messages and messagesWithMarkup?

[benjaminapetersen]

Well, since the real issue here seems to be security, the word 'escaped' seems to be more descriptive if the specific problem we are trying to solve. If I came back in a month I may wonder "why do I care which ones have markup?" and would have to dig. The word 'escaped' immediately tells me this is important for security.

[benjaminapetersen]

You can see all the places we are using templates in this screenshot:

I think the latest including @spadgett's change (not squashed) is where we want this, should be good to go.

[spadgett]

[merge]

[openshift-bot]

Evaluated for origin web console merge up to c9ee3a5

[openshift-bot]

[Test]ing while waiting on the merge queue

[openshift-bot]

Evaluated for origin web console test up to c9ee3a5

[openshift-bot]

Origin Web Console Test Results: SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_web_console/611/) (Base Commit: d4becd8)

[openshift-bot]

Origin Web Console Merge Results: SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_web_console/613/) (Base Commit: 05de64a)