[ZBX-4253] Make usual link instead of use javascript to open "Configuration of triggers" from tr_status.php Created: 2011 Oct 18  Updated: 2017 May 30  Resolved: 2012 Apr 04

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Frontend (F)
Affects Version/s: 1.8.8
Fix Version/s: 1.8.12rc1, 2.0.0rc1

Type: Incident report Priority: Minor
Reporter: Oleksii Zagorskyi Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: usability
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate

 Description   

At the page tr_status.php if we click to the trigger name in the pop-up we can select some actions.

There is some difference in the link types.

To the "Events" the link is like this:
https://zabbix/events.php?triggerid=30467&nav_time=1318925026&sid=32e13e4cacf17b64

To the "Simple graph" it's:
https://zabbix/history.php?action=showgraph&itemid=61516&sid=32e13e4cacf17b64

But to the "Configuration of triggers" it's:
javascript:redirect('triggers.php?form=update&triggerid=20896&switch_node=0').

Because of that we cannot open "Configuration of triggers" in the new browser tab as for "Events" or "Simple graph"
It's not convenient.
It was a "usability" side.

But we can consider this behavior as some "inconsistency" too. Why in the single pop-up are used different types of links?

Would be nice to improve this situation.

 Comments   
Comment by Oleksii Zagorskyi [ 2011 Oct 20 ]

(1) Additionally noted that "URL" link has the same trouble.

Comment by Oleksii Zagorskyi [ 2012 Jan 03 ]

See similar issue ZBXNEXT-1067 (item #1). Should be considered together.

Comment by Eduards Samersovs (Inactive) [ 2012 Feb 24 ]

(2) We don't encode data which we write in database..

Comment by Alexander Vladishev [ 2012 Feb 27 ]

Related issue: ZBX-4442

Comment by Toms (Inactive) [ 2012 Feb 29 ]

Fixed in pre-1.9.10 r25697

Comment by Alexander Vladishev [ 2012 Feb 29 ]

(3) now trigger popup menu doesn't work with URL like:
"</options><script>alert('XSS')</script>
Related issue: ZBX-4015

<Toms> RESOLVED in pre-1.9.9 r25704

<zalex> I see wrong version in this comment (actual version should be pre-1.9.10)

<Toms> My fault. Now I know about versioning.
<zalex> then the comment could edited (fixed) ,
btw, do not forget to fill properly "Fix version" value before closing. Both versions should be included: 1.8.x and 1.9.x

Comment by Alexander Vladishev [ 2012 Feb 29 ]

Please fix it in 1.8 too. By Oleksiy Zagorsky request.

<Toms> RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-4253 r25710

Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 01 ]

(4) We have some major trouble with the URLs both in the trunk and 1.8. E.g. if the trigger URL is "http://ya.ru?q=1&d=2" it is actually displayed as "http://ya.ru/?q=1&d=2?q=1&d=2" Note the encoded ampersand and the repeating parameters.

<Toms> RESOLVED 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253 and 1.9 in svn://svn.zabbix.com/branches/dev/ZBX-4253-20

<pavels> This is not exactly what i meant. The URL doesn't need to be sanitizes when outputting, it needs to be validated when a user tries to save it. For now, let's just check that the URL doesn't begin with "javascript:", we can improve it later. BTW, here are some border cases, please check them as well http://ha.ckers.org/xss.html

<Toms> RESOLVED in 1.9 r.25826

<pavels> Validation should be performed in CTrigger::checkInput(), otherwise we'll be able to add a trigger with an incorrect URL through an API call.

<Toms> RESOLVED in r.25966

<pavels> Please review my changes in 25972-25975. An for 1.8 please don't forget to make sure the hacks mentioned above don't work in older browsers.

Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 01 ]

(5) I think we can fix the "Latest data" link in the host menu too.

<Toms> RESOLVED for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253. Not reproducible in 1.9.

<pavels> CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 12 ]

Please review my changes for 1.9 in (4), if everything is ok, you can merge the changes to the trunk.

Comment by Toms (Inactive) [ 2012 Mar 21 ]

Fixed for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253 r26251

Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 21 ]

(6) Same as (4) "Validation should be performed in CTrigger::checkInput(), otherwise we'll be able to add a trigger with an incorrect URL through an API call."

<Toms> I don't think there is CTrigger::checkInput() in 1.8 version

<pavels> Right, my mistake. It has to be done in update_trigger() and add_trigger().

<Toms> RESOLVED in r26331

<pavels> CLOSED.

Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 21 ]

(7) You can allow quotes in the URL if you escape the URL with CJs::jsonEncode() in tr_status.php.

<Toms> I don't think there is CJs::jsonEncode() in 1.8 version

<pavels> You can use zbx_jsvalue() instead.

<Toms> RESOLVED in r26331

<pavels> CLOSED.

Comment by Toms (Inactive) [ 2012 Mar 23 ]

Fixed in 1.8.12rc1 r26350

Comment by Oleksii Zagorskyi [ 2012 Mar 23 ]

Fix Version/s: doesn't contain version for trunk branch.
REOPENED
fixed, CLOSED

Comment by richlv [ 2012 Apr 04 ]

(8) missing entry in the corresponding section of the trunk changelog

<Toms> RESOLVED

<Toms> CLOSED

Generated at Fri Apr 26 09:21:35 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.