Uploaded image for project: 'Community Dashboard Editor'
  1. Community Dashboard Editor
  2. CDE-837

FilterComponent - html injection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Severity: Urgent
    • Resolution: Fixed
    • Affects Version/s: 16.01.22
    • Fix Version/s: 7.0.0 GA, 6.1-16.08.18
    • Component/s: None
    • Labels:
      None
    • Story Points:
      0
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.
    • Steps to Reproduce:
      Hide

      Import the .zip file and run the dashboard.

      Show
      Import the .zip file and run the dashboard.

      Description

      CDE filterComponent is allowing html injection when rendering the mustache templates.

      A possible workaround is to override the template using Advanced Options:

      function options(){
          
          return {
              component: {
                  Item: { 
                      view: {
                          templates:  {
                              selection: '' +
                                  '<div class="filter-item-container' +
                                  '            {{#isPartiallySelected}} some-selected{{/isPartiallySelected}}' +
                                  '            {{^isPartiallySelected}}' +
                                  '              {{#isSelected}} all-selected{{/isSelected}}' +
                                  '              {{^isSelected}} none-selected{{/isSelected}}' +
                                  '            {{/isPartiallySelected}}">' +
                                  '  {{#header}}' +
                                  '    <div class="filter-item-header"> {{header}} </div>' +
                                  '  {{/header}}' +
                                  '  <div class="filter-item-body">' +
                                  '    {{item}}' +
                                  '    <div class="filter-item-selection-icon">' +
                                  '      <div />' +
                                  '    </div>' +
                                  '    {{#showButtonOnlyThis}}' +
                                  '      <span class="filter-item-only-this">{{strings.btnOnlyThis}}</span>' +
                                  '    {{/showButtonOnlyThis}}' +
                                  '    <div class="filter-item-label" title="{{label}}">{{label}}</div>' +
                                  '    {{#showValue}}' +
                                  '      <div class="filter-item-value">{{value}}</div>' +
                                  '    {{/showValue}}' +
                                  '  </div>' +
                                  '  {{#footer}}' +
                                  '    <div class="filter-item-footer">{{footer}}</div>' +
                                  '  {{/footer}}' +
                                  '</div>',
      
                              skeleton: '' +
                                  '<div class="filter-item-container' +
                                  '            {{#isPartiallySelected}} some-selected{{/isPartiallySelected}}' +
                                  '            {{^isPartiallySelected}}' +
                                  '              {{#isSelected}} all-selected{{/isSelected}}' +
                                  '              {{^isSelected}} none-selected{{/isSelected}}' +
                                  '            {{/isPartiallySelected}}">' +
                                  '  {{#header}}' +
                                  '    <div class="filter-item-header"> {{header}} </div>' +
                                  '  {{/header}}' +
                                  '  <div class="filter-item-body">' +
                                  '    {{item}}' +
                                  '    <div class="filter-item-selection-icon">' +
                                  '      <div />' +
                                  '    </div>' +
                                  '    {{#showButtonOnlyThis}}' +
                                  '      <span class="filter-item-only-this">{{strings.btnOnlyThis}}</span>' +
                                  '    {{/showButtonOnlyThis}}' +
                                  '    <div class="filter-item-label" title="{{label}}">{{label}}</div>' +
                                  '    {{#showValue}}' +
                                  '      <div class="filter-item-value">{{value}}</div>' +
                                  '    {{/showValue}}' +
                                  '  </div>' +
                                  '  {{#footer}}' +
                                  '    <div class="filter-item-footer">{{footer}}</div>' +
                                  '  {{/footer}}' +
                                  '</div>'            
                          }
                      }
                  }
              }
          };
          
      }
      

        Attachments

          Activity

            People

            • Assignee:
              DBaranovich Darya Baranovich (Inactive)
              Reporter:
              krios Kleyson de Sousa Rios (Inactive)
            • Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: