Module: check_mk
Branch: master
Commit: 695c0550c224fd8b67f84e70439289939179b421
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=695c0550c224fd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Oct 19 15:45:48 2017 +0200
Updated bug entries #2981
Change-Id: Idb52755c2c4b93c16328942f7dfd0f0d61e8b7ba
---
.bugs/2981 | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/.bugs/2981 b/.bugs/2981
new file mode 100644
index 0000000..b1f5bb8
--- /dev/null
+++ b/.bugs/2981
@@ -0,0 +1,13 @@
+Title: table.cell(): Fix escaping of cell content
+Component: multisite
+State: open
+Date: 2017-10-19 15:43:24
+Targetversion: 1.5.0
+Class: bug
+
+The content of the cell, that can be provided via argument, is not escaped by default.
This opens
+several places for XSS attacks. We need to make this method escape the content by
default. In
+case one wants to add HTML code there, it must be wrapped into a HTML() object or written
out after
+table.cell() with html.write(...).
+
+There may be several places where wanted HTML code is "destroyed". Can we
somehow find these places?