Tab characters in the Vulnerability Name cause Vulnerability Findings area to become non-responsive

[gKelsoCsiro]

Description: The TAB character breaks the finding page when it's used as part of a Vulnerabilities name. This was found when copying a finding name from a MS Word template directly in.

POC: The following POST data when sent to http://localhost:9000/portal/updateVulnerability will cause the issue. vulnid=12&title=This is a Test asdf&_token=75779572-290f-4d62-a0cf-7011e4b59fe7

Screenshot: The screenshot above shows the "You appear offline" popup and prevents interaction with the web browser.

Current work arounds:

• Ensure you don't copy-paste a tab into the Vulnerability Name
• Delete the finding once it's ID is determined via a direct request.

Further details:

Commit hash: 137d9fa07262f18118fe3f7f8a726076c6a73e40 Branch name: main Date of checkout: 10/10/2024 - AEST (Australian Eastern Standard Time)

Other: Have tested using a container image hosted on *nix and Windows environments. Testing has confirmed issue in Ms Edge and Chromium.

[summitt]

Try the newest release 1.3.26 and let me know if the issue persists.

[gKelsoCsiro]

Hi there,

Many thanks for the prompt response.

I've updated to the latest release.
Behaviour is now the following: We can now create a Vulnerability with the TAB character in it's title; however

• Once the title is set, you're unable to modify it;
• It appears that the auto-post for the other fields in the vulnerability also stops working;
• Manually pushing a POST request to update the vulnerability is also ignored.; and
• On the bright side, I can now delete the vulnerabilities from the web interface, which means it's easier to fix when "manually importing" from word docs.

Again, many thanks for the assistance thus far.

[summitt]

I think we got it everywhere now :) ... @gKelsoCsiro see if 1.3.27 fixes this last issue.