Mike Jumper created GUACAMOLE-955: ------------------------------------- Summary: Untranslated error strings from extensions must not be interpreted as HTML Key: GUACAMOLE-955 URL: https://issues.apache.org/jira/browse/GUACAMOLE-955 Project: Guacamole Issue Type: Bug Components: guacamole Reporter: Mike Jumper
The translation system that we use alongside AngularJS (angular-translate) suffers from an issue which allows interpretation of raw HTML if that HTML is within a translation key that does not exist: https://github.com/angular-translate/angular-translate/issues/1418 This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. The current behavior makes it too easy for a carelessly-written extension to accidentally introduce an issue that _does_ have security implications. As untranslated errors are conveyed via JSON in a different way than translated errors, the client-side code should render errors in a way that avoids this entirely. -- This message was sent by Atlassian Jira (v8.3.4#803005)