Project

General

Profile

Actions

Bug #19456

closed

Lack of HTML escaping in nodes list

Added by Alexis Mousset over 3 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

it is possible run JS from nodes list fields (for example nodes hostname)


Subtasks 4 (0 open4 closed)

Bug #19505: In branch 6.2, values in configurable columns must also escape JSReleasedNicolas CHARLESActions
Bug #19506: Escape HTML in expected value in testRejectedFrançois ARMANDActions
Bug #19518: Property with inherited values display is broken on page reload on node listReleasedVincent MEMBRÉActions
Bug #19513: Hostname is not escaped in page details title and in inherited propertiesReleasedNicolas CHARLESActions

Related issues 6 (0 open6 closed)

Related to Rudder - Bug #19457: Enforce stricter restriction on authorized node id and hostnameReleasedVincent MEMBRÉActions
Related to Rudder - Bug #19458: Validate the hostname fieldRejectedActions
Related to Rudder - Bug #19514: JS in a node name is evaluated in the rule changesReleasedActions
Related to Rudder - Bug #19488: Sanitize JS content in inventory & node propertiesRejectedVincent MEMBRÉActions
Related to Rudder - Bug #19085: Inherited node properties are displayed with escapeReleasedVincent MEMBRÉActions
Related to Rudder - Bug #21442: Various XSS vulnerabilities in the interfaceResolvedFrançois ARMANDActions
Actions

Also available in: Atom PDF