Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-1882

CLONE - Restore ability to use HTML in login_message

Details

    • Bug
    • Resolution: Incomplete
    • Minor
    • None
    • Professional Edition
    • Web Interface
    • None

    Description

      Revision 6273 added escape_html() to login_message, removing our ability to use HTML in the login warning.

      Please revert this change:

      @@-83,7 +83,7@@

      if (isset($config['login_message']))

      { - echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.$config['login_message'].'</div></div></div>'); + echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.escape_html($config['login_message']).'</div></div></div>'); }

      ?>
      <script type="text/javascript">

      Attachments

        Issue Links

          Activity

            [OBS-1882] CLONE - Restore ability to use HTML in login_message

            Escaping user input is appropriate. Escaping content in the name of security when ONLY the administrator could have defined it in the first place is not.
            If you truly don't trust your own users to put appropriate values in the config file (which bearing in mind they can override as I have done just by editing the PHP file), then why not add an additional variable login_message_html.

            David

            davidc David Croft added a comment - Escaping user input is appropriate. Escaping content in the name of security when ONLY the administrator could have defined it in the first place is not. If you truly don't trust your own users to put appropriate values in the config file (which bearing in mind they can override as I have done just by editing the PHP file), then why not add an additional variable login_message_html. David

            No response for a long time.

            landy Mike Stupalov added a comment - No response for a long time.

            This "ability" complete removed for security reasons.

            Why and what exactly you want here in this message box?

            escape not be deleted, but if you show me real case what you want here, I will think how to solve it.

            landy Mike Stupalov added a comment - This "ability" complete removed for security reasons. Why and what exactly you want here in this message box? escape not be deleted, but if you show me real case what you want here, I will think how to solve it.

            This was broken again in r7789

            davidc David Croft added a comment - This was broken again in r7789

            People

              landy Mike Stupalov
              davidc David Croft
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: