Project

General

Profile

Actions

Defect #33846

closed

Inline issue auto complete doesn't sanitize HTML tags

Added by Fernando Hartmann over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

If referring a issue that have a HTML tag in subject, the tag is rendered as an object in the auto complete tip.

To reproduce
  1. Create one issue with a subject like Test <select> tag
  2. Start a new issue, go to description field and type issue number created above
Result
  • We should display something like Feature #xxxx Test <select> tag
  • We display a select object rendered in the tip, like image bellow

This can be dangerous,as some one can inject HTML


Files

tip.png (6.45 KB) tip.png Fernando Hartmann, 2020-08-12 19:26
sanitize_html.patch (868 Bytes) sanitize_html.patch Marius BĂLTEANU, 2020-10-05 22:51
autocomplete-by-title.png (56.7 KB) autocomplete-by-title.png Go MAEDA, 2020-10-15 14:01
sanitize_html_v2.patch (1.01 KB) sanitize_html_v2.patch Marius BĂLTEANU, 2020-10-16 07:47
tribute.png (132 KB) tribute.png Marius BĂLTEANU, 2020-10-16 07:49
sanitize_html_v3.patch (878 Bytes) sanitize_html_v3.patch Marius BĂLTEANU, 2020-10-16 08:01
test_for_33846.patch (809 Bytes) test_for_33846.patch Marius BĂLTEANU, 2020-12-05 18:10
sanitize_html_v4.patch (2.18 KB) sanitize_html_v4.patch Go MAEDA, 2021-03-15 16:52

Related issues

Related to Redmine - Feature #31989: Inline issue auto complete (#) in fields with text-formatting enabledClosedGo MAEDA

Actions
Actions #1

Updated by Marius BĂLTEANU over 4 years ago

  • Assignee set to Marius BĂLTEANU
Actions #2

Updated by Marius BĂLTEANU about 4 years ago

  • Related to Feature #31989: Inline issue auto complete (#) in fields with text-formatting enabled added
Actions #3

Updated by Marius BĂLTEANU about 4 years ago

Fernando, thanks for catching this.

I've attached a patch to fix this issue.

Actions #4

Updated by Marius BĂLTEANU about 4 years ago

  • Assignee deleted (Marius BĂLTEANU)
Actions #5

Updated by Go MAEDA about 4 years ago

Marius BALTEANU wrote:

I've attached a patch to fix this issue.

Thank you for fixing the issue but I see <span> tags when using auto-complete by issue subject.

Actions #6

Updated by Marius BĂLTEANU about 4 years ago

  • Assignee set to Marius BĂLTEANU

Thanks for pointing this out, I was able to reproduce the problem. I will post soon a fix.

Actions #7

Updated by Marius BĂLTEANU about 4 years ago

Please try this new version, it should work as expected with one mention: the letters that match the search are no longer highlighted.

Also, instead of the sanitzeHTML function, I think it's better to use a library like https://lodash.com/docs/4.17.15#escape, but I'm not sure how to add it without copying the code or by using a module bundler like webpack. @Jean-Philippe, any recommendations on this?

Actions #8

Updated by Marius BĂLTEANU about 4 years ago

This one works on IE 11 as well.

Actions #9

Updated by Marius BĂLTEANU about 4 years ago

Attached is a test for this issue that can be applied only after #34123 is committed.

Actions #10

Updated by Marius BĂLTEANU about 4 years ago

  • File test_for_26089.patch.zip added
Actions #11

Updated by Marius BĂLTEANU about 4 years ago

  • File deleted (test_for_26089.patch.zip)
Actions #13

Updated by Marius BĂLTEANU about 4 years ago

  • Assignee set to Jean-Philippe Lang
Actions #14

Updated by Marius BĂLTEANU almost 4 years ago

  • Assignee changed from Jean-Philippe Lang to Go MAEDA
Actions #15

Updated by Go MAEDA almost 4 years ago

Update the patch for the latest trunk (r20791).

Actions #16

Updated by Go MAEDA almost 4 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Committed the fix. Thank you all for your contribution.

Actions #17

Updated by Go MAEDA almost 4 years ago

  • Subject changed from Inline issue auto complete (#) doesn't sanityze HTML tags to Inline issue auto complete doesn't sanitize HTML tags
Actions #18

Updated by Holger Just over 3 years ago

By the way: this a full-blown XSS vulnerability. With an issue subject such as

<span onmouseover="alert('pwned');">This is some exciting text</span>

arbitrary Javascript can be executed (as well as arbitrary HTML code shown). In my opinion, the assessment of the issue in Security_Advisories should therefore be increased to High.

Actions #19

Updated by Marius BĂLTEANU over 3 years ago

Holger Just wrote:

By the way: this a full-blown XSS vulnerability. With an issue subject such as

[...]

arbitrary Javascript can be executed (as well as arbitrary HTML code shown). In my opinion, the assessment of the issue in Security_Advisories should therefore be increased to High.

Thanks Holger, I've changed to High.

Actions

Also available in: Atom PDF