Hello, Previously, the alert() helper would consider any text passed to it as html_safe. This led to a CVE, where user provided data was passed into the text field of the alert, leading to a possible stored XSS (cross site scripting) vulnerability. https://github.com/theforeman/foreman/pull/3996 was merged to fix this CVE, considering any text passed to the helper as unsafe by default and escaping it. If you need to include HTML in the field text, please mark it as html_safe before passing to the helper, and make sure to properly escape any possible user input in it. For some examples, take a look at the changes made to core in the merged commit.
-- Have a nice day, Tomer Brisker Red Hat Engineering -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
