[Bug 1549378] [NEW] Javascript allowed in OU names, v2.22

Public bug reported:

Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.

** Affects: dhis2
     Importance: Undecided
         Status: New

** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"
   https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png

···

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

Is this a security risk?

···

On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@baosystems.com> wrote:

Public bug reported:

Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.

** Affects: dhis2
     Importance: Undecided
         Status: New

** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"

https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

Yes firing off arbitrary javascript is not a good thing.

It should probably be filtered on input and escaped on output though
opinions vary a bit on approaches. I think these sorts of issues were
being targeted in the new metadata maintenance app.

···

On 25 February 2016 at 08:51, Knut Staring <knutst@gmail.com> wrote:

Is this a security risk?

On Wed, Feb 24, 2016 at 5:52 PM, Timothy Harding <tharding@baosystems.com> > wrote:

Public bug reported:

Conducting a training and just had a user pop some javascript into the
org unit name which when the user revealed it in the org unit hierarchy
it would fire off the javascript. I tested this in firefox, the attached
file was the result.

** Affects: dhis2
     Importance: Undecided
         Status: New

** Attachment added: "Screen Shot 2016-02-24 at 11.38.36 AM.png"

https://bugs.launchpad.net/bugs/1549378/+attachment/4580110/+files/Screen%20Shot%202016-02-24%20at%2011.38.36%20AM.png

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
Knut Staring
Dept. of Informatics, University of Oslo
Norway: +4791880522
Skype: knutstar
http://dhis2.org

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  New

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Fixed and backported to 2.21, 2.22

** Changed in: dhis2
     Assignee: (unassigned) => Morten Olav Hansen (mortenoh)

** Changed in: dhis2
       Status: New => Confirmed

** Changed in: dhis2
   Importance: Undecided => High

** Changed in: dhis2
    Milestone: None => 2.23

** Changed in: dhis2
       Status: Confirmed => Fix Released

···

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  Fix Released

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

Thanks Morten!

*Timothy Harding*
Sr. Systems Analyst, BAO Systems
+1 202-536-1541 | tharding@baosystems.com | http://www.baosystems.com | Skype:
hardingt@gmail.com | 2900 K Street, Suite 404, Washington D.C. 20007

···

On Tue, Mar 1, 2016 at 5:49 AM, Morten Olav Hansen < 1549378@bugs.launchpad.net> wrote:

Fixed and backported to 2.21, 2.22

** Changed in: dhis2
     Assignee: (unassigned) => Morten Olav Hansen (mortenoh)

** Changed in: dhis2
       Status: New => Confirmed

** Changed in: dhis2
   Importance: Undecided => High

** Changed in: dhis2
    Milestone: None => 2.23

** Changed in: dhis2
       Status: Confirmed => Fix Released

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  Fix Released

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions

** Attachment added: "PastedGraphic-1.png"
   https://bugs.launchpad.net/bugs/1549378/+attachment/4585529/+files/PastedGraphic-1.png

--
You received this bug notification because you are a member of DHIS 2
developers, which is subscribed to DHIS.
https://bugs.launchpad.net/bugs/1549378

Title:
  Javascript allowed in OU names, v2.22

Status in DHIS:
  Fix Released

Bug description:
  Conducting a training and just had a user pop some javascript into the
  org unit name which when the user revealed it in the org unit
  hierarchy it would fire off the javascript. I tested this in firefox,
  the attached file was the result.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dhis2/+bug/1549378/+subscriptions