xss vulnerability in tooltips in new UI

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor
    • 2.2.2.patch, 2.2.3, 2.3.0
    • Affects Version/s: 2.2.0, 2.2.1, 2.2.2
    • Component/s: UI
    • None

      Data in tooltips in the new UI are escaped for HTML, but they need to be escaped twice. You need to change the templates that display grouper objects to escape twice like the commit in thie jira. You can either edit the grouper.text.en.us.base.properties file directly (per the commit), or install the patch (if you are in 2.2.2). If you are in 2.2.1, you can upgrade to 2.2.2 to get the patch.

            Assignee:
            Chris Hyzer (upenn.edu)
            Reporter:
            Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: