Bug 38036 - HTML not escaped
HTML not escaped
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Univention Configuration Registry
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Philipp Hahn
Florian Best
:
Depends on:
Blocks: 37442
  Show dependency treegraph
 
Reported: 2015-03-13 11:46 CET by Philipp Hahn
Modified: 2015-03-25 16:41 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
UMC Screenshot (25.60 KB, image/png)
2015-03-13 11:46 CET, Philipp Hahn
Details
Patch v2 (3.23 KB, patch)
2015-03-13 11:54 CET, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-03-13 11:46:53 CET
Created attachment 6757 [details]
UMC Screenshot

<, &, > are not escaped in UCRV descriptions

# ucr info mail/postfix/masquerade/domains
mail/postfix/masquerade/domains: $mydomain
 This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used.
 Categories: service-mail

# umc-command -U Administrator -P univention -r ucr/get -o mail/postfix/masquerade/domains=
10.03.15 02:45:13.523  DEBUG_INIT
Response: COMMAND
  data length   :  916
  message length:  851
  ---
  ARGUMENTS: ['ucr/get']
MIMETYPE   : application/json
  STATUS   : 200
  MESSAGE  : None
  RESULT   : [ { 'categories': 'service-mail',
    'description[de]': u'Mit dieser Variable kann eine Unterdom\xe4ne aus E-Mail-Adressen entfernt werden, so dass z.B. user@server.example.com nach user@example.com umgeschrieben wird. Das Format ist unter <http://www.postfix.org/postconf.5.html#masquerade_domains> beschrieben. Ist die Variable nicht gesetzt, gilt der vollqualifizierte Rechnername des Servers.',
    'description[en]': 'This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used.',
    'key': 'mail/postfix/masquerade/domains',
    'type': 'str',
    'value': '$mydomain'}]


In UMC:

This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at . If the variable is unset, the fully qualified hostname of the server is used.


diff --git a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
index 909217d..d6433c5 100644
--- a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
+++ b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
@@ -35,6 +35,7 @@ define([
        "dojo/_base/array",
        "dojo/aspect",
        "dojo/sniff",
+       "dojox/html/entities",
        "dijit/Dialog",
        "dijit/form/_TextBoxMixin",
        "umc/tools",
@@ -52,7 +53,7 @@ define([
        "umc/widgets/Tooltip",
        "umc/i18n!umc/modules/ucr",
        "xstyle/css!./ucr.css"
-], function(declare, lang, kernel, array, aspect, has, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) {
+], function(declare, lang, kernel, array, aspect, has, entities, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) {
 
        var _DetailDialog = declare([Dialog, StandbyMixin], {
                _form: null,
@@ -135,7 +136,7 @@ define([
                                if (text) {
                                        // we have description, update the description field
                                        descWidget.set('visible', true);
-                                       descWidget.set('content', '<i>' + text + '</i>');
+                                       descWidget.set('content', '<i>' + entities.encode(text) + '</i>');
                                }
                                else {
                                        // no description -> hide widget and label
Comment 1 Philipp Hahn univentionstaff 2015-03-13 11:54:58 CET
Created attachment 6758 [details]
Patch v2

Tool-tip also need escaping.
Comment 2 Philipp Hahn univentionstaff 2015-03-13 11:58:44 CET
The following UCRV descriptions use [<&>] and thus are currently shown broken:

$ git grep -c '[<&>]' -- \*.univention-config-registry-variables
base/univention-base-files/debian/univention-base-files.univention-config-registry-variables:2
base/univention-firewall/debian/univention-firewall.univention-config-registry-variables:4
base/univention-grub/debian/univention-grub.univention-config-registry-variables:10
base/univention-heimdal/debian/univention-heimdal-common.univention-config-registry-variables:2
base/univention-ssl/debian/univention-ssl.univention-config-registry-variables:2
base/univention-system-setup/debian/univention-system-setup.univention-config-registry-variables:2
mail/univention-antivir-mail/debian/univention-antivir-mail.univention-config-registry-variables:2
mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry-variables:14
management/univention-directory-reports/debian/univention-directory-reports.univention-config-registry-variables:4
management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables:16
nagios/univention-nagios/debian/univention-nagios-server.univention-config-registry-variables:2
services/univention-ad-connector/debian/univention-ad-connector.univention-config-registry-variables:2
services/univention-apache/debian/univention-apache.univention-config-registry-variables:22
services/univention-bind/debian/univention-bind.univention-config-registry-variables:4
services/univention-dhcp/debian/univention-dhcp.univention-config-registry-variables:2
services/univention-net-installer/debian/univention-net-installer.univention-config-registry-variables:2
services/univention-nfs/debian/univention-nfs-server.univention-config-registry-variables:4
services/univention-squid/debian/univention-squid.univention-config-registry-variables:8
virtualization/univention-virtual-machine-manager-node/debian/univention-virtual-machine-manager-node-common.univention-config-registry-variables:2
Comment 3 Philipp Hahn univentionstaff 2015-03-16 09:56:06 CET
r58948 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip
 Patch applied

Package: univention-management-console-module-ucr
Version: 4.1.1-4.59.201503160950
Branch: ucs_4.0-0
Scope: errata4.0-1

r59040 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip YAML
 2015-03-16-univention-management-console-module-ucr.yaml
Comment 4 Florian Best univentionstaff 2015-03-16 10:24:23 CET
OK: the links / details in '<' are shown again
OK: Code review
OK: YAML
Comment 5 Florian Best univentionstaff 2015-03-16 10:25:12 CET
OK: tooltips are also shown correctly
Comment 6 Janek Walkenhorst univentionstaff 2015-03-25 16:41:08 CET
<http://errata.univention.de/ucs/4.0/127.html>