Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1222

xss vulnerability in tooltips in new UI

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.2.0, 2.2.1, 2.2.2
    • Fix Version/s: 2.2.2.patch, 2.2.3, 2.3.0
    • Component/s: UI
    • Labels:
      None

      Description

      Data in tooltips in the new UI are escaped for HTML, but they need to be escaped twice. You need to change the templates that display grouper objects to escape twice like the commit in thie jira. You can either edit the grouper.text.en.us.base.properties file directly (per the commit), or install the patch (if you are in 2.2.2). If you are in 2.2.1, you can upgrade to 2.2.2 to get the patch.

        Smart Checklist

          Attachments

            Activity

              People

              • Assignee:
                chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
                Reporter:
                chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: