OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-1254
HTML tag are not escape when displaying job parameter description (OD-1254)
bufferUnderrun opened 3 years ago

Hi,

there is some potential injection in job parameter description

I set a parameter definition with html tag. Why : just for explaining that this parameter will be overriden using following pattern. image.png

When running job, the parameters modal display raw description value image_2.png

thanks

  • OneDev changed state to 'Closed' 3 years ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • OneDev commented 3 years ago

    State changed as code fixing the issue is committed (394c1a89)

  • OneDev changed state to 'Released' 3 years ago
    Previous Value Current Value 
    Closed
    		 
    Released
  • OneDev commented 3 years ago

    State changed as build #3492 is successful

  • Robin Shen commented 3 years ago

    Param description can still contain html tags in 8.0.7. However it will be sanitized to avoid potential XSS attack.

    To use special html characters, use the escape form, for instance &lt; for <

issue 1/1
Type
Bug
Priority
Minor
Assignee
Robin Shen
Affected Versions
8.0.4
Issue Votes (0)
Login to vote
Watchers (3)
Reference
OD-1254
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover