[ANTARCTICLE-252] Tags Filter: insufficient filtering of special characters - JTalks JIRA

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0
Fix Version/s: 2.0
Labels:
None

Description

Steps to reproduce:
1. Open Antarcticle main page
2. Enter in Tags Filter field: <script>alert('test')</script> and press Find button

AR: pop-up window appears with "Oops, an error occured" error text, see screenshot
ER: no pop-up window is shown

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

xss tags.JPG
54 kB
20/Mar/14 1:23 PM

Structure Settings

Structure

(does not include ANTARCTICLE-252)

Open

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Evgeniy Naumenko added a comment - 21/Mar/14 12:42 PM

This bug has nothing to do with XSS. The real cause is inadequate search tag handling on DAO layer; current implementation fails on special symbols like '.

Show

Evgeniy Naumenko added a comment - 21/Mar/14 12:42 PM This bug has nothing to do with XSS. The real cause is inadequate search tag handling on DAO layer; current implementation fails on special symbols like '.

Hide

Permalink

Targa Florio added a comment - 21/Mar/14 1:15 PM - edited

You are right, it's filter all special characters except '
I'll rename this issue

Show

Targa Florio added a comment - 21/Mar/14 1:15 PM - edited You are right, it's filter all special characters except ' I'll rename this issue

Hide

Permalink

Anuar Nurmakanov added a comment - 21/Mar/14 2:35 PM

I'll fix.

Show

Anuar Nurmakanov added a comment - 21/Mar/14 2:35 PM I'll fix.

Hide

Permalink

Evgeniy Naumenko added a comment - 22/Mar/14 8:27 PM - edited

Backslash is also causing similar problems. On retest I suggest to check all special characters carefully.

Show

Evgeniy Naumenko added a comment - 22/Mar/14 8:27 PM - edited Backslash is also causing similar problems. On retest I suggest to check all special characters carefully.

Hide

Permalink

Artem R added a comment - 11/Apr/14 10:22 PM - edited

Steps to reproduce
1. Enter

'`

in Tags Filter field

Actual result
Error 500 is shown

Expected result
Search by entered tag should be perfomed

Issue should be reopened

Show

Artem R added a comment - 11/Apr/14 10:22 PM - edited Steps to reproduce 1. Enter '` in Tags Filter field Actual result Error 500 is shown Expected result Search by entered tag should be perfomed Issue should be reopened

Hide

Permalink

Evgeniy Naumenko added a comment - 13/Apr/14 12:35 PM

reimplemented to use proper symbol escaping

Show

Evgeniy Naumenko added a comment - 13/Apr/14 12:35 PM reimplemented to use proper symbol escaping

Hide

Permalink

Targa Florio added a comment - 14/Apr/14 1:42 PM - edited

Test Environment
Firefox 28, Antarcticle 285 build

Test Scenario
1. Open Antarcticle main page
2. Enter special character '` in tags filter
AR=ER Nothing was found and no error appeared

Regression tests:
Search by list special characters (one by one) was tested
List contains 29 special characters

Test results:
AR=ER No errors occurred while searching by special characters

Show

Targa Florio added a comment - 14/Apr/14 1:42 PM - edited Test Environment Firefox 28, Antarcticle 285 build Test Scenario 1. Open Antarcticle main page 2. Enter special character '` in tags filter AR=ER Nothing was found and no error appeared Regression tests: Search by list special characters (one by one) was tested List contains 29 special characters Test results: AR=ER No errors occurred while searching by special characters

People

Assignee:

Targa Florio

Reporter:

Targa Florio

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

20/Mar/14 1:23 PM

Updated:

14/Apr/14 1:45 PM

Resolved:

12/Apr/14 12:50 AM

Structure Helper Panel