Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consumer Group Id is not html escaped in the UI #641

Open
davideicardi opened this issue Apr 30, 2024 · 6 comments
Open

Consumer Group Id is not html escaped in the UI #641

davideicardi opened this issue Apr 30, 2024 · 6 comments
Labels
bug Something isn't working investigate We are currently investigating the issue

Comments

@davideicardi
Copy link
Collaborator

davideicardi commented Apr 30, 2024
edited
Loading

I have received a bug report from "d.morozov" regarding how consumer group id is displayed inside the UI. It looks like it is not html escaped so potentially it can break the UI or we can have have security issues.

Verify if this is true and how we can fix it.
@davideicardi davideicardi added bug Something isn't working investigate We are currently investigating the issue labels Apr 30, 2024
@aakashthakare
Copy link

Hey @davideicardi,

I tried to investigate this issue and following are my findings,

  • For consumer group ID with HTML content is being rendered by UI, html tags can be seen.
  • However going into consumer detail page it is failing due to NoResourceFoundException
  • Escaping HTML from groupId in topic response won't help as spring.url will again convert it as unescaped one.
  • It would be better to send it in post request rather then get, to solve this problem.

I started looking into the code recently, I could be wrong with my analysis. Feel free to correct me and guide for the same.

Looking forward to contribute more with this project. Let me know if any further investigation is required.

Screenshot 2024-05-19 at 7 36 49 PM Screenshot 2024-05-19 at 7 54 05 PM

@davideicardi
Copy link
Collaborator Author

Thank you @aakashthakare!
Regarding the resource not found, it is a problem of the id pased in the wrong way? Or maybe some other server side problems?

@aakashthakare
Copy link

Hello @davideicardi, thanks for the response. Yes, need to fix from server side. The URL consumer/my-second-consumer-group-<a>new</a> failing to reach the controller, We need to HTML encode it in URL, while on the server side we need to HTML decode the consumer id.

@davideicardi
Copy link
Collaborator Author

What if you pass it as URL encoded? (not HTML encoded ...)

@aakashthakare
Copy link

aakashthakare commented May 22, 2024
edited
Loading

It will solve upto some extent, not completely.

For example, consumer group id is test-<a>it</a>, if URL encoded will become test-%3Ca%3Eit%3C%2Fa%3E, this we can do while returning the consumer group. However, it gets automatically decoded when clicked on consumer link consumer/test-%3Ca%3Eit%3C%2Fa%3E, and we get A 404 error has occurred: No static resource consumer/test-<a>it</a>.

One way is to do Bse64 encoding/decoding of the groupId, but need to see how we can decode it to display the readable consumer id. Check out this commit.

@Bert-R Bert-R mentioned this issue Jun 8, 2024
Open
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label Jun 22, 2024
@Bert-R Bert-R removed the stale label Jun 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working investigate We are currently investigating the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davideicardi @Bert-R @aakashthakare