Univention Bugzilla – Bug 40808
HTML tags in UMC module names are evaluated
Last modified: 2019-03-10 16:08:50 CET
If an App's Name contains HTML, it is written in the apps.xml when installed. This HTML is evaluated instead of escaped. This is a generic UMC problem. ATTENTION: It may or may not be necessary to "unfix" certain modules that worked around this issue, namely UDM, maybe UVMM. If this is not feasible, please re-tag to UMC - App Center. We could double escape apps.xml, although I think this is not the right place to fix it. +++ This bug was initially created as a clone of Bug #35324 +++ Characters used in an app's name or version are correctly escaped by python. Unfortunately, these are escaped again by the AppCenterGalleryPane. The put-selector escapes automatically with no option to disable it. But we need the escaping both in frontend and backend for UCR variables, XML files, title attributes, etc. So this has to be fixed in AppCenterGalleryPane's renderRow. Note that modules in "Installed Modules" are escaped correctly - the backend sends unescaped module definitions in modules/list
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.