Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1222

xss vulnerability in tooltips in new UI

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.2.0, 2.2.1, 2.2.2
    • Fix Version/s: 2.2.2.patch, 2.2.3, 2.3.0
    • Component/s: UI
    • Labels:
      None

      Description

      Data in tooltips in the new UI are escaped for HTML, but they need to be escaped twice. You need to change the templates that display grouper objects to escape twice like the commit in thie jira. You can either edit the grouper.text.en.us.base.properties file directly (per the commit), or install the patch (if you are in 2.2.2). If you are in 2.2.1, you can upgrade to 2.2.2 to get the patch.

        Attachments

          Activity

            People

            • Assignee:
              mchyzer Chris Hyzer
              Reporter:
              mchyzer Chris Hyzer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: