Bug #13387
closed
Input validation is not rejecting invalid description characters when editing a CA or Certificate
100%
Description
When editing an existing CA or Certificate, the description is not validated on save the way it is validated during other action (create, sign, etc).
There are some instances where the description is displayed without encoding as it's assumed to be validated, which means there is a potential for XSS there (e.g. save messages, Issuer column displaying the CA name, perhaps others), so we should encode those for good measure in addition to the validation.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 2fe0e0fab528be3e297ed14ddd9d9e73c99cc1c4.
Updated by Danilo Zrenjanin over 2 years ago
Tested the patch against:
2.7.0-DEVELOPMENT (amd64) built on Fri Jul 29 06:15:24 UTC 2022 FreeBSD 12.3-STABLE
It works as expected. A help text with allowed or forbidden characters for that field would be helpful there.
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to In Progress
I'll add the list of invalid characters to the help text for those fields.
Updated by Jim Pingle almost 2 years ago
- Status changed from In Progress to Feedback
Applied in changeset f16d3f4d3f466bb1fca84c754e51fbaa1b9e48ba.
Updated by Danilo Zrenjanin almost 2 years ago
- Status changed from Feedback to Resolved
Tested against:
23.01-DEVELOPMENT (amd64) built on Fri Dec 02 06:04:48 UTC 2022 FreeBSD 14.0-CURRENT
It does the input validation when editing the existing CA or Certificate. I am marking this ticket resolved.