Bug #13387
closed
Input validation is not rejecting invalid description characters when editing a CA or Certificate
Added by Jim Pingle over 3 years ago.
Updated about 3 years ago.
Plus Target Version:
23.01
Description
When editing an existing CA or Certificate, the description is not validated on save the way it is validated during other action (create, sign, etc).
There are some instances where the description is displayed without encoding as it's assumed to be validated, which means there is a potential for XSS there (e.g. save messages, Issuer column displaying the CA name, perhaps others), so we should encode those for good measure in addition to the validation.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:2fe0e0fab528be3e297ed14ddd9d9e73c99cc1c4.
Tested the patch against:
2.7.0-DEVELOPMENT (amd64)
built on Fri Jul 29 06:15:24 UTC 2022
FreeBSD 12.3-STABLE
It works as expected. A help text with allowed or forbidden characters for that field would be helpful there.
- Plus Target Version changed from 22.11 to 23.01
- Status changed from Feedback to In Progress
I'll add the list of invalid characters to the help text for those fields.
- Status changed from In Progress to Feedback
Applied in changeset commit:f16d3f4d3f466bb1fca84c754e51fbaa1b9e48ba.
- Status changed from Feedback to Resolved
Tested against:
23.01-DEVELOPMENT (amd64)
built on Fri Dec 02 06:04:48 UTC 2022
FreeBSD 14.0-CURRENT
It does the input validation when editing the existing CA or Certificate. I am marking this ticket resolved.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by