Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

names of some users are stored with HTML entities #729

Closed
ElectricNroff opened this issue Jun 14, 2022 · 1 comment · Fixed by #943
Closed

names of some users are stored with HTML entities #729

ElectricNroff opened this issue Jun 14, 2022 · 1 comment · Fixed by #943
Assignees
@slubar
Milestone
CVE Services 2.1

Comments

@ElectricNroff
Copy link
Contributor

Using the PUT /org/{shortname}/user/{username} endpoint with a query string of

name.first=Walter&name.last=O'Reilly

results in a response containing

"name":{"first":"Walter","last":"O'Reilly",

because of escape() in

cve-services/src/controller/org.controller/index.js

Line 708 in b083cfe

query(['name.last']).optional().isString().trim().escape(),

It's unclear why the HTML entity is used for the quote character in O'Reilly. There is no documentation stating that some parts of API responses are supposed to be interpreted as HTML.

If a client application receives a list of users and their names, it should probably be the client's responsibility to encode the data in a way that is valid and safe for the specific context. The server doesn't comprehensively ensure safe content for all possible client contexts, e.g., the CVE Services code does not prevent use of

javascript:alert(document.domain)

in the name.last field, and does not modify that string in any way. Having the server send HTML entities to the client makes it harder for the client to do input validation, e.g., the client would need to know the places in which double encoding must be avoided.
@slubar slubar added this to the CVE Services 2.1 milestone Jun 14, 2022
@rbrittonMitre rbrittonMitre reopened this Jun 16, 2022
@jdaigneau5 jdaigneau5 reopened this Jun 16, 2022
@jdaigneau5 jdaigneau5 mentioned this issue Nov 7, 2022
Closed
@slubar slubar self-assigned this Nov 30, 2022
@slubar
Copy link
Contributor

slubar commented Dec 7, 2022

Also updating user creation and org create and update to ensure that no HTML entities for names are added to the database or included in the http response

slubar added a commit that referenced this issue Dec 7, 2022
@slubar
#729 decode HTML entities in names prior to storing in the database
7ad11ae
@slubar slubar linked a pull request Dec 7, 2022 that will close this issue
#729 decode HTML entities in names prior to storing in the database and sending http response #943
Merged
jdaigneau5 added a commit that referenced this issue Dec 9, 2022
@jdaigneau5
Merge pull request #943 from CVEProject/srl-729
1548b3c 
#729 decode HTML entities in names prior to storing in the database and sending http response
@ElectricNroff ElectricNroff mentioned this issue Dec 19, 2022
Closed
brettp added a commit that referenced this issue Dec 19, 2022
@brettp
Revert "#729 decode HTML entities in names prior to storing in the da…
b9eece4 
…tabase"

This reverts commit 7ad11ae.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@slubar slubar

Labels
None yet
Projects
None yet
Milestone
CVE Services 2.1
4 participants
@slubar @jdaigneau5 @ElectricNroff @rbrittonMitre