Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #21519 - Prevent stored XSS on fact charts #4967

Merged
merged 1 commit into from Nov 5, 2017

Conversation

tbrisker
Copy link
Member

No description provided.

@theforeman-bot
Copy link
Member

Issues: #21519

@tbrisker
Copy link
Member Author

Once accepted this should be cherry-picked into 1.16-stable and possibly also 1.15-stable if we do another release.

@ohadlevy
Copy link
Member

ohadlevy commented Nov 1, 2017

@tbrisker - thanks! does it make sense to add tests ?

@tbrisker
Copy link
Member Author

tbrisker commented Nov 1, 2017

@ohadlevy not sure if there is a good way to do that, the new charts already sanitize the text correctly, the old js code should go all away once remaining charts are migrated to react. I added the escaping on the backend as well as a backup measure in case flot.js somewhere doesn't escape correctly or in case i missed something in the awful mess that is there right now.

Copy link
Member

@dLobatog dLobatog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - I'm not sure it's worth adding tests for checking each of the escapes here. Maybe checking that an HTML tag as part of a fact name is escaped in some page as an integration test would be good, but I'm not too adamant, your call @ohadlevy @tbrisker

@ohadlevy ohadlevy merged commit 81e40e3 into theforeman:develop Nov 5, 2017
@ohadlevy
Copy link
Member

ohadlevy commented Nov 5, 2017

thanks @tbrisker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants