Univention Bugzilla – Full Text Bug Listing |
Summary: | Strengthen javascript utilities against XSS attacks | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | UMC maintainers <umc-maintainers> |
Status: | NEW --- | QA Contact: | UMC maintainers <umc-maintainers> |
Severity: | normal | ||
Priority: | P5 | CC: | keiser |
Version: | UCS 5.0 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=44498 https://forge.univention.org/bugzilla/show_bug.cgi?id=40808 https://forge.univention.org/bugzilla/show_bug.cgi?id=48812 |
||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Florian Best
2017-03-08 17:04:03 CET
Also _Module.set('title') doesn't escape HTML (this is used in UDM with HTML). A flag _Module.titleAllowHTML should be implemented. Bug #44498 is one example, where the attack vector is the progress bar. diff --git management/univention-web/js/widgets/LabelPane.js management/univention-web/js/widgets/LabelPane.js index b6d693e69d..dc6766ea34 100644 --- management/univention-web/js/widgets/LabelPane.js +++ management/univention-web/js/widgets/LabelPane.js @@ -111,6 +111,8 @@ define([ // Whether this LabelPane is in a layout with non CheckBox widgets betweenNonCheckBoxes: true, + allowLabelHTML: false, + constructor: function(params) { this._startupDeferred = new Deferred(); @@ -281,17 +283,18 @@ define([ return; } + var labelHTML = this.allowLabelHTML ? label : entities.encode(label); // if we have a widget which is required, add the string ' (*)' to the label if (this._isContentAWidget() && this._isContentRequired()) { - label = label + ' *'; + labelHTML = labelHTML + ' *'; } this.label = label; // set the label itself and show the corresponding label node var labelNode = null; - if (label) { + if (labelHTML) { labelNode = this._getLabelNode(); - attr.set(labelNode, 'innerHTML', label); + attr.set(labelNode, 'innerHTML', labelHTML); } this._hideNodes(labelNode); |