Project

General

Profile

Actions
Copy link

Bug #19514

closed

JS in a node name is evaluated in the rule changes

Added by Nicolas CHARLES almost 3 years ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
6.1.14
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

If a node is named 

<script>alert("test");</script>

and generated repairs reports, on the rule page, clicking over the changes in the compliance section will cause one "alert("test")" per repair reports

If the repair just happened, it is on the list of changes in the table in the bottom when clicking on compliance and is evaluated immediatly

It does not always happen (something there are JS error on the pages)

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #19456: Lack of HTML escaping in nodes listReleasedNicolas CHARLESActions
Actions
Copy link
 #1

Updated by Nicolas CHARLES almost 3 years ago

  • Subject changed from JS in a node name is evaluated in the rule detail page to JS in a node name is evaluated in the rule changes
  • Description updated (diff)
Actions
Copy link
 #2

Updated by Nicolas CHARLES almost 3 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Nicolas CHARLES almost 3 years ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by Vincent MEMBRÉ almost 3 years ago

  • Parent task deleted (#19456)
Actions
Copy link
 #5

Updated by Vincent MEMBRÉ almost 3 years ago

  • Related to Bug #19456: Lack of HTML escaping in nodes list added
Actions
Copy link
 #6

Updated by Vincent MEMBRÉ almost 3 years ago

  • Status changed from New to Released
Actions
Copy link
 #7

Updated by Alexis Mousset 9 months ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF