Bug #21442
Updated by Alexis Mousset almost 2 years ago
With information from nodes: * When running Putting a remote run from the interface the JS alert in agent output is not escaped * In node details, the software tab information are not escaped * In all nodes list (Nodes, Groups pages, etc.), the OS column is not escaped (the last too are also visible for pending nodes so it can be trigerred from anyone makes in the allowed networks. and with lower impact (potential privilege escalation inside Rudder): * tags run in rules, when hovering the rule in administrator triggerring a run from the rules lists (directives and rules pages) * api accounts details when hovering web interface.