Uploaded image for project: 'JBoss BPMS Platform'
  1. JBoss BPMS Platform
  2. RHBPMS-4624

Task Filter List accepts HTML in the Name field which is rendered when deleting it

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • 6.4.3
    • 6.4.0
    • Business Central
    • Hide

      In business central, go to Tasks. Click on the "+" button to create a new filtered list and then enter something that uses HTML tags, such as *<h1>test</h1>*. Now tries to delete the list you just created and you should see that "test" will be shown as an HTML header in the confirmation dialog- indicating that the HTML code was interpreted.

      Show
      In business central, go to Tasks. Click on the "+" button to create a new filtered list and then enter something that uses HTML tags, such as * <h1>test</h1> *. Now tries to delete the list you just created and you should see that "test" will be shown as an HTML header in the confirmation dialog- indicating that the HTML code was interpreted.

      When you create a new task filtered list in business central, you can use HTML tags for the Name field. Later, when deleting it, the HTML is rendered. Although tags like script seems to be rejected, this could be an entry point for XSS attacks.

              kverlaen@redhat.com Kris Verlaenen
              rhn-support-wsiqueir William Siqueira
              Jan Hrcek Jan Hrcek (Inactive)
              Jan Hrcek Jan Hrcek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: