dhis2-devs team mailing list archive

Thread
Date

Re: [Bug 1549378] [NEW] Javascript allowed in OU names, v2.22

To: Bug 1549378 <1549378@xxxxxxxxxxxxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Thu, 25 Feb 2016 12:25:59 +0100
Cc: dhis2-devs <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAL=8=NihxSrbPhheFMjTss3yvxD8GW5b+b-Pf2PX6HsE4+rz3w@mail.gmail.com>

Yes firing off arbitrary javascript is not a good thing.

It should probably be filtered on input and escaped on output though
opinions vary a bit on approaches.  I think these sorts of issues were
being targeted in the new metadata maintenance app.

On 25 February 2016 at 08:51, Knut Staring <knutst@xxxxxxxxx> wrote:
> Is this a security risk?
>
> On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@xxxxxxxxxxxxxx>
> wrote:
>
>> Public bug reported:
>>
>> Conducting a training and just had a user pop some javascript into the
>> org unit name which when the user revealed it in the org unit hierarchy
>> it would fire off the javascript. I tested this in firefox, the attached
>> file was the result.
>>
>> ** Affects: dhis2
>>      Importance: Undecided
>>          Status: New
>>
>> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
>>
>> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png
>>
>> --
>> You received this bug notification because you are a member of DHIS 2
>> developers, which is subscribed to DHIS.
>> https://bugs.launchpad.net/bugs/1549378
>>
>> Title:
>>   Javascript allowed in OU names, v2.22
>>
>> Status in DHIS:
>>   New
>>
>> Bug description:
>>   Conducting a training and just had a user pop some javascript into the
>>   org unit name which when the user revealed it in the org unit
>>   hierarchy it would fire off the javascript. I tested this in firefox,
>>   the attached file was the result.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
> --
> Knut Staring
> Dept. of Informatics, University of Oslo
> Norway: +4791880522
> Skype: knutstar
> http://dhis2.org
>
> --
> You received this bug notification because you are a member of DHIS 2
> developers, which is subscribed to DHIS.
> https://bugs.launchpad.net/bugs/1549378
>
> Title:
>   Javascript allowed in OU names, v2.22
>
> Status in DHIS:
>   New
>
> Bug description:
>   Conducting a training and just had a user pop some javascript into the
>   org unit name which when the user revealed it in the org unit
>   hierarchy it would fire off the javascript. I tested this in firefox,
>   the attached file was the result.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp

References

[Bug 1549378] [NEW] Javascript allowed in OU names, v2.22
From: Timothy Harding, 2016-02-24
Re: [Bug 1549378] [NEW] Javascript allowed in OU names, v2.22
From: Knut Staring, 2016-02-25