-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unexpected javascript injection in browser #18580
Comments
No plugins should be outputting anything during hooks that are only meant to modify the data they are provided, but if they do, it is the plugin author's responsibility to output only safe content. |
In the future if you believe you found a security issue, please follow the GLPI security policy. Using GitHub issues is not responsible disclosure. |
This hook is meant to inject your HTML/JS code in the timeline, it is the expected behaviour. |
this is what we are speaking about, we want to inject javascript in timeline but this hook is also called by notification process |
The documentation needs to be clarified. The hook receives a reference of the array of timeline items and expects plugins to add/remove/change the items in the array. It does not expect you to directly output anything. It is a data hook, not a display hook. If you want to display something in the timeline, use the If you just want to include a JS script on that specific page, check the requested URL in your plugin's init function and use the |
even the name of the hook is not good, it should not be show_something because all the hooks that start with show_ mean that JS/HTML can be output |
Moreover the hook show_in_timeline is called for other tabs than the processing tab |
Code of Conduct
Is there an existing issue for this?
Version
10.0.17
Bug description
Hello,
The issue concerns the hook "show_in_timeline".
This hook can be used to inject Javascript or HTML to modify data in a timeline form for an ITIL object.
But the hook is also used in NotificationTargetCommonITILObject::getDataForObject method via a call to CommonITILObject::getTimelineItems method, when adding or updating an ITIL object.
It means that during the notification process, we are going to inject in the PHP output buffer some Javascript or HTML code (and this code will reach the browser).
We must not inject anything in the browser during notification process.
Thank you,
regards
Aeto-J
Relevant log output
Page URL
No response
Steps To reproduce
In your plugin add hook "show_in_timeline" for Ticket object to inject javascript with jQuery
Create a notification on Ticket creation with a template.
Create a Ticket.
Error appears in debug console (Uncaught ReferenceError: $ is not defined)
Your GLPI setup information
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: