[pbs-devel] [PATCH widget-toolkit/proxmox-backup v2 0/5] fix #5463: add optional consent banner before login

Dominik Csapak d.csapak at proxmox.com
Wed Jun 5 15:22:48 CEST 2024


did not look too closely at the code, but gave it a spin and found a few problems/
have suggestions:

* handlebars by default does html escaping (https://docs.rs/handlebars/latest/handlebars/#escaping)
   so any of the reserved characters will be wrong
   (namely as html escape sequence such as '"')
* that accidentally prevented code injection when directly editing the config file
   this is something we should do even if we assume that the text was set through the api
   just a simple search/replace of some specific characters such as "< etc. should be enough
* there is still a code execution potential, namely on the rendering part of the config
   in configuration -> other (works e.g. by setting <svg onmouseover=alert(1)></svg>)
* it's not possible to delete the text again from the ui
* if it's deleted (by api or by hand) 'undefined' is rendered
* i really would like markdown support here too ;)




More information about the pbs-devel mailing list