Project

General

Profile

Actions
Copy link

Bug #14221

closed

we can inject html & javascript in Rudder tables

Added by Nicolas CHARLES almost 6 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Assignee:
François ARMAND
Category:
Web - Compliance & node report
Target version:
4.1.19
Pull Request:
https://github.com/Normation/rudder/p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

following https://issues.rudder.io/issues/13349 , we can inject, from syslog, js that is evaluated server side on the node compliance/technical log and rules details

exemple: change the component name with

_method_reporting_context("un 'file' 'content' <script>alert('bob');</script>", "/tmp/file_content");

results in a bob showing up

Subtasks 1 (0 open1 closed)

Bug #14231: html on change request list is not correctly escapedReleasedNicolas CHARLESActions

Related issues 3 (0 open3 closed)

Related to Rudder - Bug #13349: Quotes in reports are displayed as &quot; in the web interfaceReleasedVincent MEMBRÉActions
Related to Rudder - Bug #14271: JS in directive name is executed on rule table if the directive is disabledReleasedNicolas CHARLESActions
Related to Rudder - Bug #17698: Tooltips in interface tree evaluate scripts ReleasedFrançois ARMANDActions
Actions
Copy link

Also available in: Atom PDF