[ELEMENTS-853] Group name/id is not sanitized before creation - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.2.26, 2.4.0, 3.0.0
Fix Version/s: 2.2.27, 2.4.1, 3.0.0
Component/s: UI, User & Group management

Release Notes Summary:
Special and white characters are displayed in the group name in the WebUI.
Tags:
Backlog priority:
450
Sprint:
nxGang Sprint 11.1.1
Story Points:
2

Description

Spaces can be inserted as %20%20, simply %20 or %C2%A0 or using & n b s p ;. The problem is the group name is indistinguishable in this case (see differences.png) in the web UI.
This also generates in the case of the nbsp some other issues like a group not found (see notfound.png)

This can be reproduced using the following 3 queries on nightly:

curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976; _gat=1' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue White","grouplabel":"Blue White","memberUsers":[],"memberGroups":[]}' --compressed

curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue  White","grouplabel":"Blue  White","memberUsers":[],"memberGroups":[]}' --compressed

curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue&nbsp;White","grouplabel":"Blue White","memberUsers":[],"memberGroups":[]}' --compressed

Since Web UI uses REST, this may need to be fixed on the REST side rather than Web UI.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

differences.png
65 kB
2018-12-06 10:57
notfound.png
128 kB
2018-12-06 10:57

Issue Links

causes

ELEMENTS-870 Fix spacing for users and groups on nuxeo-user-suggestion

Resolved

is related to

ELEMENTS-916 nuxeo-selectivity behaves differently using the same selection and result formatter

Resolved

ELEMENTS-1068 Group name containing quote is not displayed when searched

Resolved

Is referenced in

PR for master: #520

Activity

People

Assignee:

Nuno Cunha

Reporter:

Frantz Fischer

Participants:

Frantz Fischer, Jenkins, Nelson Silva, Nuno Cunha

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2018-12-06 10:55

Updated:

2021-01-26 14:29

Resolved:

2019-01-29 09:09

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1d 3h 20m