Project

General

Profile

Actions
Copy link

Bug #19514

closed

JS in a node name is evaluated in the rule changes

Added by Nicolas CHARLES almost 3 years ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Assignee:
-
Category:
Security
Target version:
6.1.14
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

If a node is named 

<script>alert("test");</script>

and generated repairs reports, on the rule page, clicking over the changes in the compliance section will cause one "alert("test")" per repair reports

If the repair just happened, it is on the list of changes in the table in the bottom when clicking on compliance and is evaluated immediatly

It does not always happen (something there are JS error on the pages)

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #19456: Lack of HTML escaping in nodes listReleasedNicolas CHARLESActions
Actions
Copy link

Also available in: Atom PDF