[ https://issues.apache.org/jira/browse/GUACAMOLE-955?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Jumper reassigned GUACAMOLE-955: ------------------------------------- Assignee: Mike Jumper > Untranslated error strings from extensions must not be interpreted as HTML > -------------------------------------------------------------------------- > > Key: GUACAMOLE-955 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-955 > Project: Guacamole > Issue Type: Bug > Components: guacamole > Reporter: Mike Jumper > Assignee: Mike Jumper > Priority: Minor > > The translation system that we use alongside AngularJS (angular-translate) > suffers from an issue which allows interpretation of raw HTML if that HTML is > within a translation key that does not exist: > https://github.com/angular-translate/angular-translate/issues/1418 > This doesn't happen to have security implications in our case, as the > behavior is isolated to error message rendering (it cannot be stored, can > only be self-inflicted, and can only occur through manually interacting with > the UI), but it really should be addressed. The current behavior makes it too > easy for a carelessly-written extension to accidentally introduce an issue > that _does_ have security implications. > As untranslated errors are conveyed via JSON in a different way than > translated errors, the client-side code should render errors in a way that > avoids this entirely. -- This message was sent by Atlassian Jira (v8.3.4#803005)