Project

General

Profile

Bug #14221

we can inject html & javascript in Rudder tables

Added by Nicolas CHARLES over 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Web - Compliance & node report
Target version:
Severity:
User visibility:
Effort required:
Priority:
0

Description

following https://issues.rudder.io/issues/13349 , we can inject, from syslog, js that is evaluated server side on the node compliance/technical log and rules details

exemple: change the component name with

_method_reporting_context("un 'file' 'content' <script>alert('bob');</script>", "/tmp/file_content");

results in a bob showing up


Subtasks

Bug #14231: html on change request list is not correctly escapedReleasedNicolas CHARLESActions

Related issues

Related to Rudder - Bug #13349: Quotes in reports are displayed as &quot; in the web interfaceReleasedVincent MEMBRÉActions
Related to Rudder - Bug #14271: JS in directive name is executed on rule table if the directive is disabledReleasedNicolas CHARLESActions

Also available in: Atom PDF