Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-3406

Missing HTML escape in "Edit rule" page in Quality profiles for rule parameters

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.14
    • Fix Version/s: 3.1
    • Component/s: Web
    • Labels:
      None

      Description

      Rule parameters are not properly HTML escaped when shown in the "Edit rule" page.

      This results in HTML code which looks like:

      <input type="text" name="rule_param[xpathQuery]" value="//IDENTIFIER[@tokenValue = "a"]"></input>
      

      Which has two side-effects:

      • The interface is not usable in every situation (for example for writing XPath queries)
      • It allows XSS injection

      The current workaround is to edit rule parameters on the previous page one by one, and use the "Update" button for each of them.

        Attachments

          Activity

            People

            Assignee:
            dgageot David Gageot
            Reporter:
            dinesh.bolkensteyn Dinesh Bolkensteyn (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: