Actions
Bug #17641
closed
Markdown descriptions in directives and groups are evaluated, resulting in Javascript execution
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
Description
We can use markdown for Directives and Groups description, to have more friendly description
However, it's possible to put script with this markdown, that gets executed when displaying the group or directive details (and also in change request list)
This ticket fixes the issue by using the showdown xss filter to prevent evaluation of javascript in markdown
Updated by Nicolas CHARLES over 4 years ago
- Subject changed from description in directives are evaluated, and we can inject whatever we want to description in directives and groups are evaluated, and we can inject whatever we want
Updated by Nicolas CHARLES over 4 years ago
https://github.com/showdownjs/showdown/issues/454
filtering has to be done server side
Updated by Nicolas CHARLES over 4 years ago
- Status changed from New to In progress
- Assignee set to Nicolas CHARLES
Updated by Nicolas CHARLES over 4 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Nicolas CHARLES to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/3060
Updated by Nicolas CHARLES over 4 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|ee5c6b8b3aab9197f4cd0f4fed60b47444f99a4b.
Updated by Nicolas CHARLES over 4 years ago
- Subject changed from description in directives and groups are evaluated, and we can inject whatever we want to Markdown descriptions in directives and groups are evaluated, resulting in Javascript execution
- Description updated (diff)
Updated by Vincent MEMBRÉ over 4 years ago
This bug has been fixed in Rudder 6.0.7 and 6.1.1 which were released today.
Updated by Vincent MEMBRÉ over 4 years ago
- Status changed from Pending release to Released
- Private changed from Yes to No
Actions