Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support using <> lessthan/greater than characters in device description #5558

Open
sgvfr opened this issue Nov 8, 2023 · 6 comments
Open
Labels
enhancement General tag for an enhancement

Comments

@sgvfr
Copy link

sgvfr commented Nov 8, 2023

Describe the bug

using Cacti 1.3

If using <> in a device description, the characters display as escape characters in dropdown menus

To Reproduce

Steps to reproduce the behavior:

  1. edit a device description

  2. include a less than or greater than symbol "< or >, <>"

  3. go to "Management/Graphs"

  4. display dropdown menu, if the device is "selected" it displays correctly, other devices show the escape characters for lt/gt

Expected behavior

Display lt/gt symbols in the device names while unselected in a dropdown menu.

Screenshots

image

@sgvfr sgvfr added bug Undesired behaviour unverified Some days we don't have a clue labels Nov 8, 2023
@TheWitness
Copy link
Member

Yea, we currently don't support this due to all the potential XSS and injection possibilities. So, I'm going to mark "will not fix" for now. Sorry about that. It might always change, but not before the 1.3 release.

@TheWitness TheWitness added no plans This is a feature request that can or will not be implemented support Support related issue and removed bug Undesired behaviour unverified Some days we don't have a clue labels Nov 13, 2023
@TheWitness TheWitness closed this as not planned Won't fix, can't repro, duplicate, stale Nov 13, 2023
@TheWitness
Copy link
Member

Feel free to continue to comment.

@sgvfr
Copy link
Author

sgvfr commented Nov 13, 2023

Fair enough, can we move this to feature suggestion/enhancement instead of a bug?

@TheWitness
Copy link
Member

Yea, I think so.

@TheWitness TheWitness reopened this Nov 14, 2023
@TheWitness TheWitness added enhancement General tag for an enhancement and removed no plans This is a feature request that can or will not be implemented support Support related issue labels Nov 14, 2023
@TheWitness TheWitness changed the title using <> lessthan/greater than characters in device description Support using <> lessthan/greater than characters in device description Nov 14, 2023
@netniV
Copy link
Member

netniV commented Nov 17, 2023

Personally, I think we should just not support this. Primarily because it imitates HTML tags.

@TheWitness
Copy link
Member

There is a way to achieve that by performing a re-write of the html_escape() function using the library that our security researchers are recommending. But it's likely going to have to be in the develop branch due to the dependency to support the old RHEL7 stuff in 1.2.x Cacti version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement General tag for an enhancement
Projects
None yet
Development

No branches or pull requests

3 participants