From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B5F3C1FF389 for ; Wed, 5 Jun 2024 15:22:51 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 964FA353A3; Wed, 5 Jun 2024 15:23:22 +0200 (CEST) Message-ID: <9a5e685e-d935-414a-93c7-6b3b46bda866@proxmox.com> Date: Wed, 5 Jun 2024 15:22:48 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Backup Server development discussion , Gabriel Goller References: <20240604125014.210321-1-g.goller@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20240604125014.210321-1-g.goller@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [docs.rs] Subject: Re: [pbs-devel] [PATCH widget-toolkit/proxmox-backup v2 0/5] fix #5463: add optional consent banner before login X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" did not look too closely at the code, but gave it a spin and found a few problems/ have suggestions: * handlebars by default does html escaping (https://docs.rs/handlebars/latest/handlebars/#escaping) so any of the reserved characters will be wrong (namely as html escape sequence such as '"') * that accidentally prevented code injection when directly editing the config file this is something we should do even if we assume that the text was set through the api just a simple search/replace of some specific characters such as "< etc. should be enough * there is still a code execution potential, namely on the rendering part of the config in configuration -> other (works e.g. by setting ) * it's not possible to delete the text again from the ui * if it's deleted (by api or by hand) 'undefined' is rendered * i really would like markdown support here too ;) _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel