Defect #33846
Inline issue auto complete doesn't sanitize HTML tags
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Security | |||
Target version: | 4.1.2 | |||
Resolution: | Fixed | Affected version: | 4.1.1 |
Description
If referring a issue that have a HTML tag in subject, the tag is rendered as an object in the auto complete tip.
To reproduce- Create one issue with a subject like
Test <select> tag
- Start a new issue, go to description field and type issue number created above
- We should display something like
Feature #xxxx Test <select> tag
- We display a
select
object rendered in the tip, like image bellow
This can be dangerous,as some one can inject HTML
Related issues
Associated revisions
Fix that inline issue auto complete does not sanitize HTML tags (#33846).
Patch by Marius BALTEANU.
History
#1
Updated by Marius BALTEANU almost 2 years ago
- Assignee set to Marius BALTEANU
#2
Updated by Marius BALTEANU over 1 year ago
- Related to Feature #31989: Inline issue auto complete (#) in fields with text-formatting enabled added
#3
Updated by Marius BALTEANU over 1 year ago
- File sanitize_html.patch
added
- Target version set to 4.1.2
Fernando, thanks for catching this.
I've attached a patch to fix this issue.
#4
Updated by Marius BALTEANU over 1 year ago
- Assignee deleted (
Marius BALTEANU)
#5
Updated by Go MAEDA over 1 year ago
- File autocomplete-by-title.png added
Marius BALTEANU wrote:
I've attached a patch to fix this issue.
Thank you for fixing the issue but I see <span>
tags when using auto-complete by issue subject.
#6
Updated by Marius BALTEANU over 1 year ago
- Assignee set to Marius BALTEANU
Thanks for pointing this out, I was able to reproduce the problem. I will post soon a fix.
#7
Updated by Marius BALTEANU over 1 year ago
- File sanitize_html_v2.patch
added
- File tribute.png added
- Assignee deleted (
Marius BALTEANU)
Please try this new version, it should work as expected with one mention: the letters that match the search are no longer highlighted.
Also, instead of the sanitzeHTML
function, I think it's better to use a library like https://lodash.com/docs/4.17.15#escape, but I'm not sure how to add it without copying the code or by using a module bundler like webpack. @Jean-Philippe, any recommendations on this?
#8
Updated by Marius BALTEANU over 1 year ago
- File sanitize_html_v3.patch
added
This one works on IE 11 as well.
#9
Updated by Marius BALTEANU over 1 year ago
Attached is a test for this issue that can be applied only after #34123 is committed.
#10
Updated by Marius BALTEANU over 1 year ago
- File test_for_26089.patch.zip added
#11
Updated by Marius BALTEANU over 1 year ago
- File deleted (
test_for_26089.patch.zip)
#12
Updated by Marius BALTEANU over 1 year ago
- File test_for_33846.patch
added
#13
Updated by Marius BALTEANU over 1 year ago
- Assignee set to Jean-Philippe Lang
#14
Updated by Marius BALTEANU about 1 year ago
- Assignee changed from Jean-Philippe Lang to Go MAEDA
#15
Updated by Go MAEDA about 1 year ago
- File sanitize_html_v4.patch
added
Update the patch for the latest trunk (r20791).
#16
Updated by Go MAEDA about 1 year ago
- Status changed from New to Closed
- Resolution set to Fixed
Committed the fix. Thank you all for your contribution.
#17
Updated by Go MAEDA about 1 year ago
- Subject changed from Inline issue auto complete (#) doesn't sanityze HTML tags to Inline issue auto complete doesn't sanitize HTML tags
#18
Updated by Holger Just about 1 year ago
By the way: this a full-blown XSS vulnerability. With an issue subject such as
<span onmouseover="alert('pwned');">This is some exciting text</span>
arbitrary Javascript can be executed (as well as arbitrary HTML code shown). In my opinion, the assessment of the issue in Security_Advisories should therefore be increased to High.
#19
Updated by Marius BALTEANU about 1 year ago
Holger Just wrote:
By the way: this a full-blown XSS vulnerability. With an issue subject such as
[...]
arbitrary Javascript can be executed (as well as arbitrary HTML code shown). In my opinion, the assessment of the issue in Security_Advisories should therefore be increased to High.
Thanks Holger, I've changed to High.