Defect #33846
Inline issue auto complete (#) doesn't sanityze HTML tags
Status: | New | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Security | |||
Target version: | 4.1.2 | |||
Resolution: | Affected version: | 4.1.1 |
Description
If referring a issue that have a HTML tag in subject, the tag is rendered as an object in the auto complete tip.
To reproduce- Create one issue with a subject like
Test <select> tag
- Start a new issue, go to description field and type issue number created above
- We should display something like
Feature #xxxx Test <select> tag
- We display a
select
object rendered in the tip, like image bellow
This can be dangerous,as some one can inject HTML
Related issues
History
#1
Updated by Marius BALTEANU 5 months ago
- Assignee set to Marius BALTEANU
#2
Updated by Marius BALTEANU 3 months ago
- Related to Feature #31989: Inline issue auto complete (#) in fields with text-formatting enabled added
#3
Updated by Marius BALTEANU 3 months ago
- File sanitize_html.patch
added
- Target version set to 4.1.2
Fernando, thanks for catching this.
I've attached a patch to fix this issue.
#4
Updated by Marius BALTEANU 3 months ago
- Assignee deleted (
Marius BALTEANU)
#5
Updated by Go MAEDA 3 months ago
- File autocomplete-by-title.png added
Marius BALTEANU wrote:
I've attached a patch to fix this issue.
Thank you for fixing the issue but I see <span>
tags when using auto-complete by issue subject.
#6
Updated by Marius BALTEANU 3 months ago
- Assignee set to Marius BALTEANU
Thanks for pointing this out, I was able to reproduce the problem. I will post soon a fix.
#7
Updated by Marius BALTEANU 3 months ago
- File sanitize_html_v2.patch
added
- File tribute.png added
- Assignee deleted (
Marius BALTEANU)
Please try this new version, it should work as expected with one mention: the letters that match the search are no longer highlighted.
Also, instead of the sanitzeHTML
function, I think it's better to use a library like https://lodash.com/docs/4.17.15#escape, but I'm not sure how to add it without copying the code or by using a module bundler like webpack. @Jean-Philippe, any recommendations on this?
#8
Updated by Marius BALTEANU 3 months ago
- File sanitize_html_v3.patch
added
This one works on IE 11 as well.
#9
Updated by Marius BALTEANU about 1 month ago
Attached is a test for this issue that can be applied only after #34123 is committed.
#10
Updated by Marius BALTEANU about 1 month ago
- File test_for_26089.patch.zip added
#11
Updated by Marius BALTEANU about 1 month ago
- File deleted (
test_for_26089.patch.zip)
#12
Updated by Marius BALTEANU about 1 month ago
- File test_for_33846.patch
added
#13
Updated by Marius BALTEANU about 1 month ago
- Assignee set to Jean-Philippe Lang