Bug 53412 - AppCenter UMC: data-dojo-props are not escaped
AppCenter UMC: data-dojo-props are not escaped
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - App-Center
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-0-errata
Assigned To: Johannes Keiser
Dirk Wiesenthal
:
Depends on: 53384
Blocks: 53393
  Show dependency treegraph
 
Reported: 2021-06-07 12:17 CEST by Dirk Wiesenthal
Modified: 2021-06-23 15:55 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.600
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments
French App Center (28.07 KB, image/png)
2021-06-18 09:41 CEST, Dirk Wiesenthal
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2021-06-07 12:17:25 CEST
This is a problem for all occurrences with variables. Example:

<div class="umcAppSidebarButton ucsPrimaryButton"
  data-dojo-type="umc/widgets/Button"
  data-dojo-attach-event="click:_onClick"
  data-dojo-props="
    name: 'installations',
    label: '\${buttonLabel}'
  "
>

Here, buttonLabel may not include a single quote. This is not the case in German and English. But it may for French. We should double check all data-dojo-props. We used it extensively in the App Center, but better check in all of UMC.

One fix would be to remove the declarative part with data-dojo-type and replace it with data-dojo-attach-node. From there, we can add Dijits programatically, where escaping is done by Dojo.

+++ This bug was initially created as a clone of Bug #53384 +++

AppCenter UMC: AppCenter breaks for apps with single quote in name (Let's Encrypt)

If apps contain a single quote in their name the appcenter javascript breaks.

How to reproduce:
activate the test appcenter
Open the Let's Encrypt app

I attached a temporary fix which fixes single quotes but breaks double quotes...
Comment 2 Johannes Keiser univentionstaff 2021-06-17 12:19:18 CEST
The problem was with using string interpolation in data-dojo-props.
If the var contained an apostrophe then the syntax is broken.

The fix uses references instead.


fc5f3882b8 Bug #53412: yaml
2f20b3121f Bug #53412: yaml
0ba0ab0cec Bug #53412: debian changelog
73a99855a4 Bug #53412: use vars in data-dojo-props

Successful build
Package: univention-appcenter
Version: 9.0.2-51A~5.0.0.202106171210
Branch: ucs_5.0-0
Scope: errata5.0-0
Comment 3 Dirk Wiesenthal univentionstaff 2021-06-18 09:41:35 CEST
Created attachment 10751 [details]
French App Center

Works with French translations
Comment 4 Dirk Wiesenthal univentionstaff 2021-06-18 09:46:15 CEST
App Center: OK with French
Code: OK, no more ${variables} in props in ucs.git
YAML: OK
Comment 5 Erik Damrose univentionstaff 2021-06-23 15:55:43 CEST
<https://errata.software-univention.de/#/?erratum=5.0x28>