Mike Jumper created GUACAMOLE-955:
-------------------------------------
Summary: Untranslated error strings from extensions must not be
interpreted as HTML
Key: GUACAMOLE-955
URL: https://issues.apache.org/jira/browse/GUACAMOLE-955
Project: Guacamole
Issue Type: Bug
Components: guacamole
Reporter: Mike Jumper
The translation system that we use alongside AngularJS (angular-translate)
suffers from an issue which allows interpretation of raw HTML if that HTML is
within a translation key that does not exist:
https://github.com/angular-translate/angular-translate/issues/1418
This doesn't happen to have security implications in our case, as the behavior
is isolated to error message rendering (it cannot be stored, can only be
self-inflicted, and can only occur through manually interacting with the UI),
but it really should be addressed. The current behavior makes it too easy for a
carelessly-written extension to accidentally introduce an issue that _does_
have security implications.
As untranslated errors are conveyed via JSON in a different way than translated
errors, the client-side code should render errors in a way that avoids this
entirely.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
