Community
Participate
Working Groups
Actions taken: - I deployed a bundle via the manual upload feature on the admin console. 2. - - Deployment failed on a Spring XML configuration exception. - The admin console writes the entire error message into an <h1> element on the "Artifacts" screen. Problem: My error message contains the XML element name where Spring failed to load my config. This element name is written into the HTML document for the admin GUI screen unescaped. The web browser ignores it as an unknown HTML element. The error message is now missing a crucial piece of information (this information does show up in the console log and the page source, so it's not completely lost). Additional observations: - This is an XSS vulnerability. (Although it could be argued that you have bigger problems than just XSS by the time someone with bad intent makes it to the artifact upload screen.) - My error message was 584 characters long. This doesn't really fit an H1 element. Desired result: The error message text is written into the admin GUI HTML with output escaping of HTML special characters enabled, the element name shows up on screen. A generic caption in the <h1> element with the actual message in paragraph font would be a better fit for long error messages.
Thanks for raising this!
I have moved the result string to normal paragraph text just below the heading and any xml present in the message will be escaped and so should be readable. This will be available in the next 2.2.x milestone.
Next milestone is 2.2.0.M02. :-)
