Bug 35324 - Double escape of HTML for app's name and description
Double escape of HTML for app's name and description
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - App-Center
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
: 39814 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-09 11:30 CEST by Dirk Wiesenthal
Modified: 2016-03-02 13:25 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2014-07-09 11:30:06 CEST
Characters used in an app's name or version are correctly escaped by python.

Unfortunately, these are escaped again by the AppCenterGalleryPane. The put-selector escapes automatically with no option to disable it.

But we need the escaping both in frontend and backend for UCR variables, XML files, title attributes, etc. So this has to be fixed in AppCenterGalleryPane's renderRow.

Note that modules in "Installed Modules" are escaped correctly - the backend sends unescaped module definitions in modules/list
Comment 1 Dirk Wiesenthal univentionstaff 2014-07-09 11:32:46 CEST
I meant "app's name or description" not "app's name or version"
Comment 2 Dirk Wiesenthal univentionstaff 2015-12-08 17:35:08 CET
This now also holds for Maintainer / Vendor in the 4.1 overview
Comment 3 Dirk Wiesenthal univentionstaff 2015-12-22 00:11:29 CET
Ticket#2015121821000314
Comment 4 Nico Gulden univentionstaff 2016-01-08 12:10:11 CET
Bug #39814 maybe a duplicate to this one.
Comment 5 Florian Best univentionstaff 2016-02-24 18:48:33 CET
*** Bug 39814 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2016-02-24 18:53:35 CET
The values aren't encoded in the backend anymore. All escaping has been moved to the frontend.

univention-appcenter (5.0.20-6):
r67667 | Bug #35324: Fix HTML encoding

univention-appcenter.yaml:
r67668 | YAML Bug #35324
Comment 7 Dirk Wiesenthal univentionstaff 2016-03-01 03:05:48 CET
The following attributes are not escaped in DetailsPage:
  Name (Module headline (thick line) and Module title (Tab line), although the latter one is probably a UMC problem)
  Version

If Description is empty (None), ucr commit /usr/share/univention-management-console/modules/apps.xml traces:
File: /usr/share/univention-management-console/modules/apps.xml
Traceback (most recent call last):
  File "<stdin>", line 32, in <module>
  File "/usr/lib/python2.7/cgi.py", line 1035, in escape
    s = s.replace("&", "&amp;") # Must be done first!
AttributeError: 'NoneType' object has no attribute 'replace'
Comment 8 Florian Best univentionstaff 2016-03-01 07:11:50 CET
(In reply to Dirk Wiesenthal from comment #7)
> The following attributes are not escaped in DetailsPage:
>   Name (Module headline (thick line) and Module title (Tab line), although
> the latter one is probably a UMC problem)
>   Version
Fixed. It's btw not DetailsPage but AppDetailsPage!

> If Description is empty (None), ucr commit
> /usr/share/univention-management-console/modules/apps.xml traces:
> File: /usr/share/univention-management-console/modules/apps.xml
> Traceback (most recent call last):
>   File "<stdin>", line 32, in <module>
>   File "/usr/lib/python2.7/cgi.py", line 1035, in escape
>     s = s.replace("&", "&amp;") # Must be done first!
> AttributeError: 'NoneType' object has no attribute 'replace'
Yes, i added a "or ''" for each item.
Comment 9 Dirk Wiesenthal univentionstaff 2016-03-01 12:52:43 CET
OK: Works
OK: YAML
Comment 10 Janek Walkenhorst univentionstaff 2016-03-02 13:25:50 CET
<http://errata.software-univention.de/ucs/4.1/123.html>