Yes firing off arbitrary javascript is not a good thing. It should probably be filtered on input and escaped on output though opinions vary a bit on approaches. I think these sorts of issues were being targeted in the new metadata maintenance app.
On 25 February 2016 at 08:51, Knut Staring <knu...@gmail.com> wrote: > Is this a security risk? > > On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <thard...@baosystems.com> > wrote: > >> Public bug reported: >> >> Conducting a training and just had a user pop some javascript into the >> org unit name which when the user revealed it in the org unit hierarchy >> it would fire off the javascript. I tested this in firefox, the attached >> file was the result. >> >> ** Affects: dhis2 >> Importance: Undecided >> Status: New >> >> ** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png" >> >> https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png >> >> -- >> You received this bug notification because you are a member of DHIS 2 >> developers, which is subscribed to DHIS. >> https://bugs.launchpad.net/bugs/1549378 >> >> Title: >> Javascript allowed in OU names, v2.22 >> >> Status in DHIS: >> New >> >> Bug description: >> Conducting a training and just had a user pop some javascript into the >> org unit name which when the user revealed it in the org unit >> hierarchy it would fire off the javascript. I tested this in firefox, >> the attached file was the result. >> >> To manage notifications about this bug go to: >> https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-devs >> Post to : dhis2-devs@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~dhis2-devs >> More help : https://help.launchpad.net/ListHelp >> > > > -- > Knut Staring > Dept. of Informatics, University of Oslo > Norway: +4791880522 > Skype: knutstar > http://dhis2.org > > -- > You received this bug notification because you are a member of DHIS 2 > developers, which is subscribed to DHIS. > https://bugs.launchpad.net/bugs/1549378 > > Title: > Javascript allowed in OU names, v2.22 > > Status in DHIS: > New > > Bug description: > Conducting a training and just had a user pop some javascript into the > org unit name which when the user revealed it in the org unit > hierarchy it would fire off the javascript. I tested this in firefox, > the attached file was the result. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions > > _______________________________________________ > Mailing list: https://launchpad.net/~dhis2-devs > Post to : dhis2-devs@lists.launchpad.net > Unsubscribe : https://launchpad.net/~dhis2-devs > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp