When using utilizing templating in webadmin, there is a few places where HTML code can be used as in data and it will not be escaped properly (And interpreted as html code). This is not an regression lately as this is a problem also in 4.12. What I have found is: * "Add new profile" in profile list. The "default name" field parses html html code. * "Add new terminal" - When given a location with "bad name", this name will then be interpreted as html code. * "Add new subcluster" in VSM settings. The "Agents" field will be interpreted as code.
I have now fixed the escaping in those three spots. While fixing this I found out that escaping were missing in a bunch of places. So I have fixed these too. For testing purposes the areas that I have touched upon is: >system health/home >status/home >status/licenses >status/load >status/sessions >vsm/agent >vsm/master >vsm/subclusters >profiles/home >profiles/introduction >profiles/profilelist >locations/locations >locations/terminals >desktop/applications >desktop/menustructure Most of these contain escaping of error messages and various output. So tester should test pretty much all of tlwebadm, try to input html like '<input></input>' wherever possible. Also found an existing bug while testing my solution, this is unrelated to the changes I made as it is present in 4.12. Filed a new report on it: Bug 7568
Found one place where escaping was incorrect. In: >system health/home When trying to lookup a non-existent User, the box with the error message is not red as it should be. When doing the same with Group it looks correct.
Tested after changes and it works correctly now!
I can now verify that all user input are escaped correctly in webadmin. To summarize the testing, I tested to enter HTML code like '<input></input>', everywhere I could. Before, in some places, this was not correctly escaped and a HTML input-box would be displayed instead of the text '<input></input>'. Now the text is displayed as it should. Details of what was tested: >system health/home * Tested: User: <input></input> Group: <input></input> * Result: Works fine >status/licenses * Tested: Number of days back: <input></input> * Result: Got correct error message: Error: Not a positive integer (<input></input>) >vsm/subcluster * Tested: Add new subcluster. All fields 'Subcluster', 'Agents', 'Users' and 'Groups' are set to: <input></input> * Result: The name is automatically changed to '<input><_input>'. The rest of the text is correctly displayed. When looking in status/load the name is also correct. >vsm/master * Tested: Fill all field with '<input></input>' and save. Also changed in conf.d: vsmserver.hconf:allowed_groups=<input></input> shadowing.hconf:allowed_shadowers=<input></input> * Result: Nothing weird happens. >vsm/agent * Tested: Set Agent Hostname to '<input></input>' * Result: Works fine >profiles/introduction * Tested: Used '<input></input>' as both Language and text * Result: Worked fine to add and delete. But when reloading the page it is gone. The input is also spilled over the input of profiles/profilelist. This is related to problem with escaping '/', see Bug 5703. >profiles/profilelist * Tested: Creating a new profile and setting 'Default Name' to '<input></input>' * Result: The escaping is correct. Also in the scroll down list 'Default Profile' the text is displayed correct. >locations/locations * Tested: Setting 'Description' field to '<input></input>', and saving. * Result: The correct text is displayed. >locations/terminals * Tested: Add terminal with name '<input></input>' and then delete it. * Result: All text is displayed correct. >desktop/appgroups * Tested: Created a group and named it '<input type="checkbox">' (avoiding '/'-character, see Bug 3586). Entered '<input></input>' as group name and user name. Also entered '<input></input>' as activation command. * Result: Works fine. all text is displayed correct. And nothing weird happens when I tired '<input></input>' as group, user and command. >desktop/applications * Tested: Entering '<input></input>' to all field * Result: Works fine both to save and delete. Looks correct >desktop/menustructure * Tested: '<input></input>' to all field. * Result: Works fine both to save and delete and looks correct Also tried to add a group to that menu, works fine. Looks correct from main page in application groups.
