OneDev
Dashboards
Projects
Pull Requests
Issues
Builds
Packages
Code Search
server
Code
Pull Requests
Issues
List
Boards
Milestones
Builds
Packages
Statistics
Child Projects
OneDev 10.5.0
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues #1254
#1254  HTML tag are not escape when displaying job parameter description
Released
bufferUnderrun opened 1 year ago

Hi,

there is some potential injection in job parameter description

I set a parameter definition with html tag. Why : just for explaining that this parameter will be overriden using following pattern. image.png

When running job, the parameters modal display raw description value image_2.png

thanks
OneDev changed state to 'Closed' 1 year ago
Previous Value Current Value 
Open
 
Closed
OneDev commented 1 year ago

State changed as code fixing the issue is committed (394c1a89)
OneDev changed state to 'Released' 1 year ago
Previous Value Current Value 
Closed
 
Released
OneDev commented 1 year ago

State changed as build #3492 is successful
Robin Shen commented 1 year ago

Param description can still contain html tags in 8.0.7. However it will be sanitized to avoid potential XSS attack.

To use special html characters, use the escape form, for instance &lt; for <
issue 1 of 1
Type
Bug
Priority
Minor
Assignee
Robin Shen
Affected Versions
8.0.4
Issue Votes (0)
Login to vote
Watchers (3)
Reference
onedev/server#1254
Please wait...
Page is in error, reload to recover