foreman icon indicating copy to clipboard operation
foreman copied to clipboard
verified publisher icon theforeman

Fixes #37582 - use textarea in host comment edit

Open MariaAga opened this issue 1 year ago • 4 comments

Had to change the css since for long inputs the comment text would go out of the card border. Added set default on submit so if a user changes the comment, saves, and then changes it again but clicks the cancel it wont go to the value that the page loaded

MariaAga avatar Jun 21 '24 13:06 MariaAga

added white-space: pre-line; so that the comment view will show newlines

MariaAga avatar Jun 24 '24 16:06 MariaAga

Nice. Thank you. Is there a validation / check somewhere to prevent XSS?

sbernhard avatar Jun 28 '24 06:06 sbernhard

By default, React DOM escapes any values embedded in JSX before rendering them. (https://legacy.reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks) Is there other risk I didnt see?

MariaAga avatar Jun 28 '24 07:06 MariaAga

By default, React DOM escapes any values embedded in JSX before rendering them. (https://legacy.reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks) Is there other risk I didnt see?

Oh, this is great. Thank you very much.

Do we somewhere have a XSS tests which tries to inject certain JS stuff in textarea / other user-defined input fields and then tries to find out if the JS would be escaped / not espaced?

sbernhard avatar Jun 28 '24 08:06 sbernhard

I tested this and what happens is:

  1. If I enter a comment value and submit, that is fine.
  2. When I edit the comment and submit, that is also fine.
  3. When I edit the comment a third time and then click abort, then the first value that I initially added in the current session re-appears instead the one I added in 2)

nadjaheitmann avatar Jul 01 '24 11:07 nadjaheitmann

Do we somewhere have a XSS tests which tries to inject certain JS stuff in textarea / other user-defined input fields and then tries to find out if the JS would be escaped / not espaced?

Not in our tests in the repo, since we use textarea from react/rails which should be secure for that.

When I edit the comment a third time and then click abort, then the first value that I initially added in the current session re-appears instead the one I added in 2)

Thanks, had a typo in the function call, should be good now

MariaAga avatar Jul 10 '24 14:07 MariaAga

Thanks, had a typo in the function call, should be good now

Works now, thanks!

nadjaheitmann avatar Jul 11 '24 09:07 nadjaheitmann