Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-955

Untranslated error strings from extensions must not be interpreted as HTML

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 1.2.0
    • guacamole
    • None

    Description

      The translation system that we use alongside AngularJS (angular-translate) suffers from an issue which allows interpretation of raw HTML if that HTML is within a translation key that does not exist:

      https://github.com/angular-translate/angular-translate/issues/1418

      This doesn't happen to have security implications in our case, as the behavior is isolated to error message rendering (it cannot be stored, can only be self-inflicted, and can only occur through manually interacting with the UI), but it really should be addressed. The current behavior makes it too easy for a carelessly-written extension to accidentally introduce an issue that does have security implications.

      As untranslated errors are conveyed via JSON in a different way than translated errors, the client-side code should render errors in a way that avoids this entirely.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. GUACAMOLE-1007 Translation strings for TOTP are not rendered

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              mjumper Mike Jumper
              mjumper Mike Jumper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: