Opened 15 years ago

Closed 15 years ago

#428 closed defect (fixed)

HTML tags in annotation values are not escaped

Reported by: Nicklas Nordborg Owned by: Martin Svensson
Priority: major Milestone: BASE 2.2
Component: web Version: 2.1
Keywords: Cc:

Description

Keith Ching wrote:

it seems you can make a String annotation type and attach it to raw bioassay and fill it with

<a href="javascript:Main.downloadFile('34537569891fa9bf', 142)"> <img border=0 class="icon" title="Download the contents of this file" src="/base2/images/download.gif"></a>

which will produce a link to the specified raw file.

Wow, that's a bug, HTML tags should be escaped. Besides, it won't work anyway, since the first parameter to the downloadFile function is a session ID and is different for every time you login.

Change History (4)

comment:1 Changed 15 years ago by Nicklas Nordborg

I seems that both the view page and list pages is affected by this. The view page is shared among all items (/www/common/annotations/list_annotations.jsp), but the list pages are not. The "Inherit annotations" page is also affected. Maybe there are even more places that are affected. For example:

  • The "View experiment" page lists annotations used as experimental factors
  • Experiment explorer can display annotations
  • The plot tool can use annotations
  • more?

comment:2 Changed 15 years ago by Nicklas Nordborg

Milestone: BASE 2.1.1BASE 2.2

Moved to milestone 2.2 since it interfers with changes that has been made in 2.2.

comment:3 Changed 15 years ago by Martin Svensson

Status: newassigned

comment:4 Changed 15 years ago by Martin Svensson

Resolution: fixed
Status: assignedclosed

(In [2893]) Fixes #428 HTML tags in annotation values are not escaped.

Note: See TracTickets for help on using tickets.