dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #43478
Re: [Bug 1549378] [NEW] Javascript allowed in OU names, v2.22
Yes firing off arbitrary javascript is not a good thing.
It should probably be filtered on input and escaped on output though
opinions vary a bit on approaches. I think these sorts of issues were
being targeted in the new metadata maintenance app.
On 25 February 2016 at 08:51, Knut Staring <knutst@xxxxxxxxx> wrote:
> Is this a security risk?
>
> On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@xxxxxxxxxxxxxx>
> wrote:
>
>> Public bug reported:
>>
>> Conducting a training and just had a user pop some javascript into the
>> org unit name which when the user revealed it in the org unit hierarchy
>> it would fire off the javascript. I tested this in firefox, the attached
>> file was the result.
>>
>> ** Affects: dhis2
>> Importance: Undecided
>> Status: New
>>
>> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>>
>> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>>
>> --
>> You received this bug notification because you are a member of DHIS 2
>> developers, which is subscribed to DHIS.
>> https://bugs.launchpad.net/bugs/1549378
>>
>> Title:
>> Javascript allowed in OU names, v2.22
>>
>> Status in DHIS:
>> New
>>
>> Bug description:
>> Conducting a training and just had a user pop some javascript into the
>> org unit name which when the user revealed it in the org unit
>> hierarchy it would fire off the javascript. I tested this in firefox,
>> the attached file was the result.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help : https://help.launchpad.net/ListHelp
>>
>
>
> --
> Knut Staring
> Dept. of Informatics, University of Oslo
> Norway: +4791880522
> Skype: knutstar
> http://dhis2.org
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
> Javascript allowed in OU names, v2.22
>
> Status in DHIS:
> New
>
> Bug description:
> Conducting a training and just had a user pop some javascript into the
> org unit name which when the user revealed it in the org unit
> hierarchy it would fire off the javascript. I tested this in firefox,
> the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
References