Uploaded image for project: 'Nuxeo Elements'
  1. Nuxeo Elements
  2. ELEMENTS-853

Group name/id is not sanitized before creation

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Special and white characters are displayed in the group name in the WebUI.
    • Backlog priority:
      450
    • Sprint:
      nxGang Sprint 11.1.1
    • Story Points:
      2

      Description

      1. Spaces can be inserted as %20%20, simply %20 or %C2%A0 or using & n b s p ;. The problem is the group name is indistinguishable in this case (see differences.png) in the web UI.
      2. This also generates in the case of the nbsp some other issues like a group not found (see notfound.png)
      3. This can be reproduced using the following 3 queries on nightly:
        curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976; _gat=1' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue White","grouplabel":"Blue White","memberUsers":[],"memberGroups":[]}' --compressed
        
        curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue  White","grouplabel":"Blue  White","memberUsers":[],"memberGroups":[]}' --compressed
        
        curl -u Administrator:Administrator 'https://nightly.nuxeo.com/nuxeo/api/v1/group' -H 'properties: *' -H 'Origin: https://nightly.nuxeo.com' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,fr;q=0.8' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36' -H 'Content-Type: application/json' -H 'accept: text/plain,application/json, application/json' -H 'Referer: https://nightly.nuxeo.com/nuxeo/ui/' -H 'Cookie: JSESSIONID=6559022EFF911343DADC25EC419AC27C.nuxeo; _mkto_trk=id:498-JDO-611&token:_mch-nuxeo.com-1487351464068-17240; ajs_user_id=%22smiller%22; ajs_group_id=null; _evga_f7ec=875f4efe208f9c95.01b; _ga=GA1.2.346180470.1487351464; __cfduid=ddde09d21e2ddc802d01acd79622274c31519135824; ajs_anonymous_id=%22a4a72dc1-4a61-46ee-9059-8c34cd696686%22; cookie_informed=true; cookie_opted_out=false; _evgn_f7ec=%7B%22puid%22%3A%22_L-y34luaqeYTo9_mx-rHG6XwmlK1llqhfq2d-JIoNY%22%7D; org.jboss.seam.core.TimeZone=America/Havana; org.jboss.seam.core.Locale=en_US; nuxeo.start.url.fragment=!%2Fsearch%2Fdefault; _gaexp=GAX1.2.sdjM0W9vSAek82a6Ngko7A.17914.1!0hWSy_p3SleJFikwBXmkDA.17914.0; _gid=GA1.2.1274358619.1543861976' -H 'Connection: keep-alive' -H 'DNT: 1' --data-binary '{"entity-type":"group","groupname":"Blue White","grouplabel":"Blue White","memberUsers":[],"memberGroups":[]}' --compressed
        

      Since Web UI uses REST, this may need to be fixed on the REST side rather than Web UI.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 3 hours, 20 minutes
                  1d 3h 20m

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.