Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

displayname of the user can contain HTML tags and the string is not filtered in some views #11705

Closed
individual-it opened this issue Sep 30, 2024 · 3 comments · Fixed by #11706
Closed

displayname of the user can contain HTML tags and the string is not filtered in some views #11705

individual-it opened this issue Sep 30, 2024 · 3 comments · Fixed by #11706
Assignees
@AlexAndBear
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Something isn't working

Comments

@individual-it
Copy link
Member

Describe the bug

The string from 'first and lastname' of a user are shown unfiltered in the notifications
Luckily only the admin can set that data

Steps to reproduce

  1. as admin set the first and lastname of einstein to <a href="http://jankari.tech">einstein</a>
  2. as einstein share a folder to marie
  3. as marie check the notifications

Expected behavior

the HTML string should be encoded as e.g. the sharing dialog
grafik

Actual behavior

a link is rendered in the notifications
grafik

Setup

Version 	6.4.0
Web client version 	10.2.0
@individual-it individual-it added the Type:Bug Something isn't working label Sep 30, 2024
@individual-it
Copy link
Member Author

same thing happens in activities with ocis 6.5.0 & Web UI 10.3.0
grafik

@individual-it individual-it changed the title displayname of the user can contain HTML tags and the string is not filtered in the notifications view displayname of the user can contain HTML tags and the string is not filtered in some views Oct 2, 2024
@jvillafanez
Copy link
Member

Just in case @kulmann isn't aware of this ticket. As far as I know, this needs to be fixed in web.
There is no restrictions on what chars can be on the displayname, so it's up to the client (web in this case) to figure out how to represent all those chars. For example, if we wanted to export the list of users in a CSV file, it's up to the export tool to escape the commas that could be present in the displayname.

@kulmann kulmann transferred this issue from owncloud/ocis Oct 2, 2024
@kulmann kulmann added the Priority:p2-high Escalation, on top of current planning, release blocker label Oct 2, 2024
@kulmann kulmann moved this from Qualification to Prio 2 in Infinite Scale Team Board Oct 2, 2024
@AlexAndBear AlexAndBear self-assigned this Oct 2, 2024
@AlexAndBear
Copy link
Contributor

needs html escape in the respective views.
e.G AcitivitesPanel

@AlexAndBear AlexAndBear mentioned this issue Oct 2, 2024
Merged
8 tasks
@github-project-automation github-project-automation bot moved this from Prio 2 to Done in Infinite Scale Team Board Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexAndBear AlexAndBear

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug Something isn't working
Projects
Infinite Scale Team Board
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Escape html in ActivitiesPanel and Notificiations views owncloud/web
4 participants
@jvillafanez @individual-it @kulmann @AlexAndBear