First Last Prev Next    This bug is not in your last search results.
Bug 38036 - HTML not escaped
HTML not escaped
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - Univention Configuration Registry
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Philipp Hahn
Florian Best
:
Depends on:
Blocks: 37442
  Show dependency treegraph
 
Reported: 2015-03-13 11:46 CET by Philipp Hahn
Modified: 2015-03-25 16:41 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
UMC Screenshot (25.60 KB, image/png)
2015-03-13 11:46 CET, Philipp Hahn 		Details
Patch v2 (3.23 KB, patch)
2015-03-13 11:54 CET, Philipp Hahn 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-03-13 11:46:53 CET 
Created attachment 6757 [details]
UMC Screenshot

<, &, > are not escaped in UCRV descriptions

# ucr info mail/postfix/masquerade/domains
mail/postfix/masquerade/domains: $mydomain
 This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used.
 Categories: service-mail

# umc-command -U Administrator -P univention -r ucr/get -o mail/postfix/masquerade/domains=
10.03.15 02:45:13.523  DEBUG_INIT
Response: COMMAND
  data length   :  916
  message length:  851
  ---
  ARGUMENTS: ['ucr/get']
MIMETYPE   : application/json
  STATUS   : 200
  MESSAGE  : None
  RESULT   : [ { 'categories': 'service-mail',
    'description[de]': u'Mit dieser Variable kann eine Unterdom\xe4ne aus E-Mail-Adressen entfernt werden, so dass z.B. user@server.example.com nach user@example.com umgeschrieben wird. Das Format ist unter <http://www.postfix.org/postconf.5.html#masquerade_domains> beschrieben. Ist die Variable nicht gesetzt, gilt der vollqualifizierte Rechnername des Servers.',
    'description[en]': 'This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at <http://www.postfix.org/postconf.5.html#masquerade_domains>. If the variable is unset, the fully qualified hostname of the server is used.',
    'key': 'mail/postfix/masquerade/domains',
    'type': 'str',
    'value': '$mydomain'}]


In UMC:

This variable can be used to strip a subdomain from an e-mail-adress, so that e.g. user@server.example.com can be rewritten to user@example.com. The format is described at . If the variable is unset, the fully qualified hostname of the server is used.


diff --git a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
index 909217d..d6433c5 100644
--- a/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
+++ b/branches/ucs-4.0/ucs-4.0-1/management/univention-management-console-module-ucr/umc/js/ucr.js
@@ -35,6 +35,7 @@ define([
        "dojo/_base/array",
        "dojo/aspect",
        "dojo/sniff",
+       "dojox/html/entities",
        "dijit/Dialog",
        "dijit/form/_TextBoxMixin",
        "umc/tools",
@@ -52,7 +53,7 @@ define([
        "umc/widgets/Tooltip",
        "umc/i18n!umc/modules/ucr",
        "xstyle/css!./ucr.css"
-], function(declare, lang, kernel, array, aspect, has, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) {
+], function(declare, lang, kernel, array, aspect, has, entities, Dialog, _TextBoxMixin, tools, dialog, Form, Grid, Module, Page, SearchForm, StandbyMixin, TextBox, Text, HiddenInput, ComboBox, Tooltip, _) {
 
        var _DetailDialog = declare([Dialog, StandbyMixin], {
                _form: null,
@@ -135,7 +136,7 @@ define([
                                if (text) {
                                        // we have description, update the description field
                                        descWidget.set('visible', true);
-                                       descWidget.set('content', '<i>' + text + '</i>');
+                                       descWidget.set('content', '<i>' + entities.encode(text) + '</i>');
                                }
                                else {
                                        // no description -> hide widget and label
Comment 1 Philipp Hahn univentionstaff 2015-03-13 11:54:58 CET 
Created attachment 6758 [details]
Patch v2

Tool-tip also need escaping.
Comment 2 Philipp Hahn univentionstaff 2015-03-13 11:58:44 CET 
The following UCRV descriptions use [<&>] and thus are currently shown broken:

$ git grep -c '[<&>]' -- \*.univention-config-registry-variables
base/univention-base-files/debian/univention-base-files.univention-config-registry-variables:2
base/univention-firewall/debian/univention-firewall.univention-config-registry-variables:4
base/univention-grub/debian/univention-grub.univention-config-registry-variables:10
base/univention-heimdal/debian/univention-heimdal-common.univention-config-registry-variables:2
base/univention-ssl/debian/univention-ssl.univention-config-registry-variables:2
base/univention-system-setup/debian/univention-system-setup.univention-config-registry-variables:2
mail/univention-antivir-mail/debian/univention-antivir-mail.univention-config-registry-variables:2
mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry-variables:14
management/univention-directory-reports/debian/univention-directory-reports.univention-config-registry-variables:4
management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables:16
nagios/univention-nagios/debian/univention-nagios-server.univention-config-registry-variables:2
services/univention-ad-connector/debian/univention-ad-connector.univention-config-registry-variables:2
services/univention-apache/debian/univention-apache.univention-config-registry-variables:22
services/univention-bind/debian/univention-bind.univention-config-registry-variables:4
services/univention-dhcp/debian/univention-dhcp.univention-config-registry-variables:2
services/univention-net-installer/debian/univention-net-installer.univention-config-registry-variables:2
services/univention-nfs/debian/univention-nfs-server.univention-config-registry-variables:4
services/univention-squid/debian/univention-squid.univention-config-registry-variables:8
virtualization/univention-virtual-machine-manager-node/debian/univention-virtual-machine-manager-node-common.univention-config-registry-variables:2
Comment 3 Philipp Hahn univentionstaff 2015-03-16 09:56:06 CET 
r58948 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip
 Patch applied

Package: univention-management-console-module-ucr
Version: 4.1.1-4.59.201503160950
Branch: ucs_4.0-0
Scope: errata4.0-1

r59040 | Bug #38036 UMC_UCR: Encode HTML entities in description and tool-tip YAML
 2015-03-16-univention-management-console-module-ucr.yaml
Comment 4 Florian Best univentionstaff 2015-03-16 10:24:23 CET 
OK: the links / details in '<' are shown again
OK: Code review
OK: YAML
Comment 5 Florian Best univentionstaff 2015-03-16 10:25:12 CET 
OK: tooltips are also shown correctly
Comment 6 Janek Walkenhorst univentionstaff 2015-03-25 16:41:08 CET 
<http://errata.univention.de/ucs/4.0/127.html>
First Last Prev Next    This bug is not in your last search results.