[
https://issues.apache.org/jira/browse/GUACAMOLE-955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Jumper reassigned GUACAMOLE-955:
-------------------------------------
Assignee: Mike Jumper
> Untranslated error strings from extensions must not be interpreted as HTML
> --------------------------------------------------------------------------
>
> Key: GUACAMOLE-955
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-955
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Reporter: Mike Jumper
> Assignee: Mike Jumper
> Priority: Minor
>
> The translation system that we use alongside AngularJS (angular-translate)
> suffers from an issue which allows interpretation of raw HTML if that HTML is
> within a translation key that does not exist:
> https://github.com/angular-translate/angular-translate/issues/1418
> This doesn't happen to have security implications in our case, as the
> behavior is isolated to error message rendering (it cannot be stored, can
> only be self-inflicted, and can only occur through manually interacting with
> the UI), but it really should be addressed. The current behavior makes it too
> easy for a carelessly-written extension to accidentally introduce an issue
> that _does_ have security implications.
> As untranslated errors are conveyed via JSON in a different way than
> translated errors, the client-side code should render errors in a way that
> avoids this entirely.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
