You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2020/02/21 03:34:00 UTC
[jira] [Resolved] (GUACAMOLE-955) Untranslated error strings from
extensions must not be interpreted as HTML
[ https://issues.apache.org/jira/browse/GUACAMOLE-955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Jumper resolved GUACAMOLE-955.
-----------------------------------
Resolution: Fixed
> Untranslated error strings from extensions must not be interpreted as HTML
> --------------------------------------------------------------------------
>
> Key: GUACAMOLE-955
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-955
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Reporter: Mike Jumper
> Assignee: Mike Jumper
> Priority: Minor
> Fix For: 1.2.0
>
>
> The translation system that we use alongside AngularJS (angular-translate) suffers from an issue which allows interpretation of raw HTML if that HTML is within a translation key that does not exist:
> https://github.com/angular-translate/angular-translate/issues/1418
> This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. The current behavior makes it too easy for a carelessly-written extension to accidentally introduce an issue that _does_ have security implications.
> As untranslated errors are conveyed via JSON in a different way than translated errors, the client-side code should render errors in a way that avoids this entirely.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)