Defect #33846

Inline issue auto complete (#) doesn't sanityze HTML tags

Added by Fernando Hartmann 5 months ago. Updated about 1 month ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:4.1.2
Resolution: Affected version:4.1.1

Description

If referring a issue that have a HTML tag in subject, the tag is rendered as an object in the auto complete tip.

To reproduce
  1. Create one issue with a subject like Test <select> tag
  2. Start a new issue, go to description field and type issue number created above
Result
  • We should display something like Feature #xxxx Test <select> tag
  • We display a select object rendered in the tip, like image bellow

This can be dangerous,as some one can inject HTML

tip.png (6.45 KB) Fernando Hartmann, 2020-08-12 19:26

sanitize_html.patch Magnifier (868 Bytes) Marius BALTEANU, 2020-10-05 22:51

autocomplete-by-title.png (56.7 KB) Go MAEDA, 2020-10-15 14:01

sanitize_html_v2.patch Magnifier (1.01 KB) Marius BALTEANU, 2020-10-16 07:47

tribute.png (132 KB) Marius BALTEANU, 2020-10-16 07:49

sanitize_html_v3.patch Magnifier (878 Bytes) Marius BALTEANU, 2020-10-16 08:01

test_for_33846.patch Magnifier (809 Bytes) Marius BALTEANU, 2020-12-05 18:10

Related issues

Related to Redmine - Feature #31989: Inline issue auto complete (#) in fields with text-format... Closed

History

#1 Updated by Marius BALTEANU 5 months ago

  • Assignee set to Marius BALTEANU

#2 Updated by Marius BALTEANU 3 months ago

  • Related to Feature #31989: Inline issue auto complete (#) in fields with text-formatting enabled added

#3 Updated by Marius BALTEANU 3 months ago

Fernando, thanks for catching this.

I've attached a patch to fix this issue.

#4 Updated by Marius BALTEANU 3 months ago

  • Assignee deleted (Marius BALTEANU)

#5 Updated by Go MAEDA 3 months ago

Marius BALTEANU wrote:

I've attached a patch to fix this issue.

Thank you for fixing the issue but I see <span> tags when using auto-complete by issue subject.

#6 Updated by Marius BALTEANU 3 months ago

  • Assignee set to Marius BALTEANU

Thanks for pointing this out, I was able to reproduce the problem. I will post soon a fix.

#7 Updated by Marius BALTEANU 3 months ago

Please try this new version, it should work as expected with one mention: the letters that match the search are no longer highlighted.

Also, instead of the sanitzeHTML function, I think it's better to use a library like https://lodash.com/docs/4.17.15#escape, but I'm not sure how to add it without copying the code or by using a module bundler like webpack. @Jean-Philippe, any recommendations on this?

#8 Updated by Marius BALTEANU 3 months ago

This one works on IE 11 as well.

#9 Updated by Marius BALTEANU about 1 month ago

Attached is a test for this issue that can be applied only after #34123 is committed.

#10 Updated by Marius BALTEANU about 1 month ago

  • File test_for_26089.patch.zip added

#11 Updated by Marius BALTEANU about 1 month ago

  • File deleted (test_for_26089.patch.zip)

#13 Updated by Marius BALTEANU about 1 month ago

  • Assignee set to Jean-Philippe Lang

Also available in: Atom PDF