kafdrop icon indicating copy to clipboard operation
kafdrop copied to clipboard
verified publisher icon obsidiandynamics

Consumer Group Id is not html escaped in the UI

Open davideicardi opened this issue 1 year ago • 6 comments

I have received a bug report from "d.morozov" regarding how consumer group id is displayed inside the UI. It looks like it is not html escaped so potentially it can break the UI or we can have have security issues.

Verify if this is true and how we can fix it.

davideicardi avatar Apr 30 '24 08:04 davideicardi

Hey @davideicardi,

I tried to investigate this issue and following are my findings,

  • For consumer group ID with HTML content is being rendered by UI, html tags can be seen.
  • However going into consumer detail page it is failing due to NoResourceFoundException
  • Escaping HTML from groupId in topic response won't help as spring.url will again convert it as unescaped one.
  • It would be better to send it in post request rather then get, to solve this problem.

I started looking into the code recently, I could be wrong with my analysis. Feel free to correct me and guide for the same.

Looking forward to contribute more with this project. Let me know if any further investigation is required.

Screenshot 2024-05-19 at 7 36 49 PM Screenshot 2024-05-19 at 7 54 05 PM

aakashthakare avatar May 19 '24 14:05 aakashthakare

Thank you @aakashthakare! Regarding the resource not found, it is a problem of the id pased in the wrong way? Or maybe some other server side problems?

davideicardi avatar May 20 '24 07:05 davideicardi

Hello @davideicardi, thanks for the response. Yes, need to fix from server side. The URL consumer/my-second-consumer-group-<a>new</a> failing to reach the controller, We need to HTML encode it in URL, while on the server side we need to HTML decode the consumer id.

aakashthakare avatar May 20 '24 07:05 aakashthakare

What if you pass it as URL encoded? (not HTML encoded ...)

davideicardi avatar May 20 '24 09:05 davideicardi

It will solve upto some extent, not completely.

For example, consumer group id is test-<a>it</a>, if URL encoded will become test-%3Ca%3Eit%3C%2Fa%3E, this we can do while returning the consumer group. However, it gets automatically decoded when clicked on consumer link consumer/test-%3Ca%3Eit%3C%2Fa%3E, and we get A 404 error has occurred: No static resource consumer/test-<a>it</a>.

One way is to do Bse64 encoding/decoding of the groupId, but need to see how we can decode it to display the readable consumer id. Check out this commit.

aakashthakare avatar May 22 '24 10:05 aakashthakare

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Jun 22 '24 01:06 github-actions[bot]

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Jul 23 '24 01:07 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Aug 06 '24 01:08 github-actions[bot]