First Last Prev Next    This bug is not in your last search results.
Bug 35324 - Double escape of HTML for app's name and description
Double escape of HTML for app's name and description
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC - App-Center
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
: 39814 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-09 11:30 CEST by Dirk Wiesenthal
Modified: 2016-03-02 13:25 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2014-07-09 11:30:06 CEST 
Characters used in an app's name or version are correctly escaped by python.

Unfortunately, these are escaped again by the AppCenterGalleryPane. The put-selector escapes automatically with no option to disable it.

But we need the escaping both in frontend and backend for UCR variables, XML files, title attributes, etc. So this has to be fixed in AppCenterGalleryPane's renderRow.

Note that modules in "Installed Modules" are escaped correctly - the backend sends unescaped module definitions in modules/list
Comment 1 Dirk Wiesenthal univentionstaff 2014-07-09 11:32:46 CEST 
I meant "app's name or description" not "app's name or version"
Comment 2 Dirk Wiesenthal univentionstaff 2015-12-08 17:35:08 CET 
This now also holds for Maintainer / Vendor in the 4.1 overview
Comment 3 Dirk Wiesenthal univentionstaff 2015-12-22 00:11:29 CET 
Ticket#2015121821000314
Comment 4 Nico Gulden univentionstaff 2016-01-08 12:10:11 CET 
Bug #39814 maybe a duplicate to this one.
Comment 5 Florian Best univentionstaff 2016-02-24 18:48:33 CET 
*** Bug 39814 has been marked as a duplicate of this bug. ***
Comment 6 Florian Best univentionstaff 2016-02-24 18:53:35 CET 
The values aren't encoded in the backend anymore. All escaping has been moved to the frontend.

univention-appcenter (5.0.20-6):
r67667 | Bug #35324: Fix HTML encoding

univention-appcenter.yaml:
r67668 | YAML Bug #35324
Comment 7 Dirk Wiesenthal univentionstaff 2016-03-01 03:05:48 CET 
The following attributes are not escaped in DetailsPage:
  Name (Module headline (thick line) and Module title (Tab line), although the latter one is probably a UMC problem)
  Version

If Description is empty (None), ucr commit /usr/share/univention-management-console/modules/apps.xml traces:
File: /usr/share/univention-management-console/modules/apps.xml
Traceback (most recent call last):
  File "<stdin>", line 32, in <module>
  File "/usr/lib/python2.7/cgi.py", line 1035, in escape
    s = s.replace("&", "&amp;") # Must be done first!
AttributeError: 'NoneType' object has no attribute 'replace'
Comment 8 Florian Best univentionstaff 2016-03-01 07:11:50 CET 
(In reply to Dirk Wiesenthal from comment #7)
> The following attributes are not escaped in DetailsPage:
>   Name (Module headline (thick line) and Module title (Tab line), although
> the latter one is probably a UMC problem)
>   Version
Fixed. It's btw not DetailsPage but AppDetailsPage!

> If Description is empty (None), ucr commit
> /usr/share/univention-management-console/modules/apps.xml traces:
> File: /usr/share/univention-management-console/modules/apps.xml
> Traceback (most recent call last):
>   File "<stdin>", line 32, in <module>
>   File "/usr/lib/python2.7/cgi.py", line 1035, in escape
>     s = s.replace("&", "&amp;") # Must be done first!
> AttributeError: 'NoneType' object has no attribute 'replace'
Yes, i added a "or ''" for each item.
Comment 9 Dirk Wiesenthal univentionstaff 2016-03-01 12:52:43 CET 
OK: Works
OK: YAML
Comment 10 Janek Walkenhorst univentionstaff 2016-03-02 13:25:50 CET 
<http://errata.software-univention.de/ucs/4.1/123.html>
First Last Prev Next    This bug is not in your last search results.