Univention Bugzilla – Bug 38036
HTML not escaped
Last modified: 2015-03-25 16:41:08 CET
Created attachment 6757 [details] UMC Screenshot <, &, > are not escaped in UCRV descriptions # ucr info mail/postfix/masquerade/domains mail/postfix/masquerade/domains: $mydomain This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used. Categories: service-mail # umc-command -U Administrator -P univention -r ucr/get -o mail/postfix/masquerade/domains= 10.03.15 02:45:13.523 DEBUG_INIT Response: COMMAND data length : 916 message length: 851 --- ARGUMENTS: ['ucr/get'] MIMETYPE : application/json STATUS : 200 MESSAGE : None RESULT : [ { 'categories': 'service-mail', 'description[de]': u'Mit dieser Variable kann eine Unterdom\xe4ne aus E-Mail-Adressen entfernt werden, so dass z.B. user@server.example.com nach user@example.com umgeschrieben wird. Das Format ist unter <http://www.postfix.org/postconf.5.html#masquerade_domains> beschrieben. Ist die Variable nicht gesetzt, gilt der vollqualifizierte Rechnername des Servers.', 'description[en]': 'This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used.', 'key': 'mail/postfix/masquerade/domains', 'type': 'str', 'value': '$mydomain'}] In UMC: This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at . If the variable is unset, the fully qualified hostname of the server is used. diff --git a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js index 909217d..d6433c5 100644 --- a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js +++ b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js @@ -35,6 +35,7 @@ define([ "dojo/_base/array", "dojo/aspect", "dojo/sniff", + "dojox/html/entities", "dijit/Dialog", "dijit/form/_TextBoxMixin", "umc/tools", @@ -52,7 +53,7 @@ define([ "umc/widgets/Tooltip", "umc/i18n!umc/modules/ucr", "xstyle/css!./ucr.css" -], function(declare, lang, kernel, array, aspect, has, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) { +], function(declare, lang, kernel, array, aspect, has, entities, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) { var _DetailDialog = declare([Dialog, StandbyMixin], { _form: null, @@ -135,7 +136,7 @@ define([ if (text) { // we have description, update the description field descWidget.set('visible', true); - descWidget.set('content', '<i>' + text + '</i>'); + descWidget.set('content', '<i>' + entities.encode(text) + '</i>'); } else { // no description -> hide widget and label
Created attachment 6758 [details] Patch v2 Tool-tip also need escaping.
The following UCRV descriptions use [<&>] and thus are currently shown broken: $ git grep -c '[<&>]' -- \*.univention-config-registry-variables base/univention-base-files/debian/univention-base-files.univention-config-registry-variables:2 base/univention-firewall/debian/univention-firewall.univention-config-registry-variables:4 base/univention-grub/debian/univention-grub.univention-config-registry-variables:10 base/univention-heimdal/debian/univention-heimdal-common.univention-config-registry-variables:2 base/univention-ssl/debian/univention-ssl.univention-config-registry-variables:2 base/univention-system-setup/debian/univention-system-setup.univention-config-registry-variables:2 mail/univention-antivir-mail/debian/univention-antivir-mail.univention-config-registry-variables:2 mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry-variables:14 management/univention-directory-reports/debian/univention-directory-reports.univention-config-registry-variables:4 management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables:16 nagios/univention-nagios/debian/univention-nagios-server.univention-config-registry-variables:2 services/univention-ad-connector/debian/univention-ad-connector.univention-config-registry-variables:2 services/univention-apache/debian/univention-apache.univention-config-registry-variables:22 services/univention-bind/debian/univention-bind.univention-config-registry-variables:4 services/univention-dhcp/debian/univention-dhcp.univention-config-registry-variables:2 services/univention-net-installer/debian/univention-net-installer.univention-config-registry-variables:2 services/univention-nfs/debian/univention-nfs-server.univention-config-registry-variables:4 services/univention-squid/debian/univention-squid.univention-config-registry-variables:8 virtualization/univention-virtual-machine-manager-node/debian/univention-virtual-machine-manager-node-common.univention-config-registry-variables:2
r58948 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip Patch applied Package: univention-management-console-module-ucr Version: 4.1.1-4.59.201503160950 Branch: ucs_4.0-0 Scope: errata4.0-1 r59040 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip YAML 2015-03-16-univention-management-console-module-ucr.yaml
OK: the links / details in '<' are shown again OK: Code review OK: YAML
OK: tooltips are also shown correctly
<http://errata.univention.de/ucs/4.0/127.html>