[OBS-1882] CLONE - Restore ability to use HTML in login_message - Observium

Details

Type: Bug
Resolution: Incomplete
Priority: Minor
Fix Version/s: None
Affects Version/s: Professional Edition
Component/s: Web Interface
Labels:
None

Description

Revision 6273 added escape_html() to login_message, removing our ability to use HTML in the login warning.

Please revert this change:

@@-83,7 +83,7@@

if (isset($config['login_message']))

{ - echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.$config['login_message'].'</div></div></div>'); + echo('<div class=row><div class="col-md-6 col-md-offset-3"><div style="margin-top: 10px;text-align: center; font-weight: bold; color: #cc0000;">'.escape_html($config['login_message']).'</div></div></div>'); }

?>
<script type="text/javascript">

Attachments

Issue Links

clones

OBS-1308 Restore ability to use HTML in login_message

Closed

relates to

OBS-1821 Security issues: CSRF, Persistent XSS, Authenticated RCE

Closed

Activity

[OBS-1882] CLONE - Restore ability to use HTML in login_message

Mike Stupalov made changes - 2016/11/23 02:10 AM

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

David Croft added a comment - 2016/10/23 04:43 AM

Escaping user input is appropriate. Escaping content in the name of security when ONLY the administrator could have defined it in the first place is not.
If you truly don't trust your own users to put appropriate values in the config file (which bearing in mind they can override as I have done just by editing the PHP file), then why not add an additional variable login_message_html.

David

David Croft added a comment - 2016/10/23 04:43 AM Escaping user input is appropriate. Escaping content in the name of security when ONLY the administrator could have defined it in the first place is not. If you truly don't trust your own users to put appropriate values in the config file (which bearing in mind they can override as I have done just by editing the PHP file), then why not add an additional variable login_message_html. David

Mike Stupalov made changes - 2016/10/23 03:47 AM

Resolution		New: Incomplete [ 4 ]
Status	Original: Pending Response [ 10000 ]	New: Resolved [ 5 ]

Mike Stupalov added a comment - 2016/10/23 03:47 AM

No response for a long time.

Mike Stupalov added a comment - 2016/10/23 03:47 AM No response for a long time.

Mike Stupalov made changes - 2016/06/15 10:53 PM

Status

Original: Open [ 1 ]

New: Pending Response [ 10000 ]

Mike Stupalov made changes - 2016/06/15 09:54 PM

Link

New: This issue relates to ~~OBSERVIUM-1821~~ [ ~~OBSERVIUM-1821~~ ]

Mike Stupalov made changes - 2016/06/15 09:48 PM

Assignee

Original: Adam Armstrong [ adama ]

New: Mike Stupalov [ landy ]

Mike Stupalov added a comment - 2016/06/15 09:48 PM

This "ability" complete removed for security reasons.

Why and what exactly you want here in this message box?

escape not be deleted, but if you show me real case what you want here, I will think how to solve it.

Mike Stupalov added a comment - 2016/06/15 09:48 PM This "ability" complete removed for security reasons. Why and what exactly you want here in this message box? escape not be deleted, but if you show me real case what you want here, I will think how to solve it.

David Croft added a comment - 2016/06/14 06:27 AM

This was broken again in r7789

David Croft added a comment - 2016/06/14 06:27 AM This was broken again in r7789

David Croft made changes - 2016/06/14 06:27 AM

Link

New: This issue clones ~~OBSERVIUM-1308~~ [ ~~OBSERVIUM-1308~~ ]

People

Assignee:: Mike Stupalov

Reporter:: David Croft

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016/06/14 06:27 AM

Updated:: 2016/11/23 02:10 AM

Resolved:: 2016/10/23 03:47 AM