Actions
Bug #14221
closed
we can inject html & javascript in Rudder tables
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Compliance & node report
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:
Description
following https://issues.rudder.io/issues/13349 , we can inject, from syslog, js that is evaluated server side on the node compliance/technical log and rules details
exemple: change the component name with
_method_reporting_context("un 'file' 'content' <script>alert('bob');</script>", "/tmp/file_content");
results in a bob showing up
Updated by François ARMAND almost 6 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND almost 6 years ago
- Related to Bug #13349: Quotes in reports are displayed as " in the web interface added
Updated by François ARMAND almost 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/2122
Updated by Rudder Quality Assistant almost 6 years ago
- Assignee changed from Nicolas CHARLES to François ARMAND
Updated by François ARMAND almost 6 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|4762a161f17efe0eba67e3b078172a8b7d8a6490.
Updated by Alexis Mousset almost 6 years ago
- Status changed from Pending release to Released
Updated by François ARMAND almost 6 years ago
- Related to Bug #14271: JS in directive name is executed on rule table if the directive is disabled added
Updated by
Updated by Nicolas CHARLES over 4 years ago
- Related to Bug #17698: Tooltips in interface tree evaluate scripts added
Actions