Project

General

Profile

Actions

Bug #19514

closed

JS in a node name is evaluated in the rule changes

Added by Nicolas CHARLES over 3 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

If a node is named

<script>alert("test");</script> 

and generated repairs reports, on the rule page, clicking over the changes in the compliance section will cause one "alert("test")" per repair reports

If the repair just happened, it is on the list of changes in the table in the bottom when clicking on compliance and is evaluated immediatly

It does not always happen (something there are JS error on the pages)


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #19456: Lack of HTML escaping in nodes listReleasedNicolas CHARLESActions
Actions #1

Updated by Nicolas CHARLES over 3 years ago

  • Subject changed from JS in a node name is evaluated in the rule detail page to JS in a node name is evaluated in the rule changes
  • Description updated (diff)
Actions #2

Updated by Nicolas CHARLES over 3 years ago

  • Description updated (diff)
Actions #3

Updated by Nicolas CHARLES over 3 years ago

  • Description updated (diff)
Actions #4

Updated by Vincent MEMBRÉ over 3 years ago

  • Parent task deleted (#19456)
Actions #5

Updated by Vincent MEMBRÉ over 3 years ago

  • Related to Bug #19456: Lack of HTML escaping in nodes list added
Actions #6

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from New to Released
Actions #7

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF