[jira] [Commented] (NIFI-327) Add Processor dialog improper HTML encoding of processor descriptions

Sun, 08 Feb 2015 17:53:26 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14311704#comment-14311704
 ] 

Aldrin Piri commented on NIFI-327:
----------------------------------

Not sure I follow or agree.

My interpretation is that when each item is retrieved from the REST endpoint, 
it is encoded via nf.Common.escapeHtml(documentedType.description) and stored 
in the processor types data view.  At this point, it seems that any part of the 
UI code should be able to trust the data stored in the DataView as being safe.  
If I am overlooking something, this may be the cause of my misunderstanding.

When it is then rendered in the view, it is treated as text via
$('#processor-type-description').text(processorType.description).ellipsis();

The jQuery API [1] provides that the text is escaped so that it formats 
correctly, but the text provided to this method has already been 
escaped/normalized when it was loaded into the data view.

I agree that the NARs could be created by bad actors, but is there some other 
vector not covered by the initial sanitizing of input when the data view is 
populated that would make the population of the description susceptible to 
exploitation?

[1] http://api.jquery.com/text/#text2

> Add Processor dialog improper HTML encoding of processor descriptions
> ---------------------------------------------------------------------
>
>                 Key: NIFI-327
>                 URL: https://issues.apache.org/jira/browse/NIFI-327
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core UI
>    Affects Versions: 0.0.1, 0.0.2
>         Environment: OS X in Safari
> CentOS 7 in Firefox 
>            Reporter: Aldrin Piri
>            Priority: Minor
>         Attachments: html-encoding.png
>
>
> Will attach screenshot.
> When adding a processor via 'Add Processor' Description for a processor in 
> the that includes symbols are being encoded when they do not need to be.  One 
> example is TransformXML that makes use of apostrophes which are encoded into 
> their HTML equivalent, '''



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to