Open bhadrim opened 3 years ago
Any update on this one. Thank you.
@himdel any update on this one? Thank you.
We can probably ignore this, we're running codemirror in htmlmixed
, xml
, shell
, or ruby
modes.
It's never used to edit javascript.
Follow up for whoever ends up doing this...
= render :partial => "/layouts/my_code_mirror",...
- used in old forms, this depends only on the codemirror
package, via miqInitCodeMirror
, uses window.CodeMirror
set by the global pack
"ui-codemirror" => {...
- used in angular, via the angular-ui-codemirror
package; that package is archived, we're using the latest version, but it also doesn't specify a codemirror dependency, so in theory it should work as long as the api stays the same
CodeEditor
- our react component wrapping CodeMirror
from react-codemirror2
, has a 5.x
codemirror peerDependency
@himdel Can we ignore this issue or do you plan on fixing this issue. If you believe this security issue will not affect ManageIQ then I can close this issue. Thank you.
Well, there is no security issue, if a user pastes malicious javascript on a htmlmixed
form (that would be Edit description in old forms), their UI might hang, but that's it. The solution to that is not pasting malicious javascript into the editor. :)
I do think we should be keeping our dependencies up to date, so I would not necessarily close this, fixing this one might be a good start for the new UI team, but there's no urgency :).
Okay thank you.
This issue has been automatically marked as stale because it has not been updated for at least 3 months.
If you can still reproduce this issue on the current release or on master
, please reply with all of the information you have about it in order to keep the issue open.
Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.
Affected component: UI Classic Current Version: 5.47.0 Remediation: 5.58.2 or higher Link: https://nvd.nist.gov/vuln/detail/CVE-2020-7760 CVE: CVE-2020-7760