[ZBX-4253] Make usual link instead of use javascript to open "Configuration of triggers" from tr_status.php Created: 2011 Oct 18 Updated: 2017 May 30 Resolved: 2012 Apr 04 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 1.8.8 |
Fix Version/s: | 1.8.12rc1, 2.0.0rc1 |
Type: | Incident report | Priority: | Minor |
Reporter: | Oleksii Zagorskyi | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | usability | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
At the page tr_status.php if we click to the trigger name in the pop-up we can select some actions. There is some difference in the link types. To the "Events" the link is like this: To the "Simple graph" it's: But to the "Configuration of triggers" it's: Because of that we cannot open "Configuration of triggers" in the new browser tab as for "Events" or "Simple graph" But we can consider this behavior as some "inconsistency" too. Why in the single pop-up are used different types of links? Would be nice to improve this situation. |
Comments |
Comment by Oleksii Zagorskyi [ 2011 Oct 20 ] |
(1) Additionally noted that "URL" link has the same trouble. |
Comment by Oleksii Zagorskyi [ 2012 Jan 03 ] |
See similar issue |
Comment by Eduards Samersovs (Inactive) [ 2012 Feb 24 ] |
(2) We don't encode data which we write in database.. |
Comment by Alexander Vladishev [ 2012 Feb 27 ] |
Related issue: |
Comment by Toms (Inactive) [ 2012 Feb 29 ] |
Fixed in pre-1.9.10 r25697 |
Comment by Alexander Vladishev [ 2012 Feb 29 ] |
(3) now trigger popup menu doesn't work with URL like: <Toms> RESOLVED in pre-1.9.9 r25704 <zalex> I see wrong version in this comment (actual version should be pre-1.9.10) <Toms> My fault. Now I know about versioning. |
Comment by Alexander Vladishev [ 2012 Feb 29 ] |
Please fix it in 1.8 too. By Oleksiy Zagorsky request. <Toms> RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-4253 r25710 |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 01 ] |
(4) We have some major trouble with the URLs both in the trunk and 1.8. E.g. if the trigger URL is "http://ya.ru?q=1&d=2" it is actually displayed as "http://ya.ru/?q=1&d=2?q=1&d=2" Note the encoded ampersand and the repeating parameters. <Toms> RESOLVED 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253 and 1.9 in svn://svn.zabbix.com/branches/dev/ZBX-4253-20 <pavels> This is not exactly what i meant. The URL doesn't need to be sanitizes when outputting, it needs to be validated when a user tries to save it. For now, let's just check that the URL doesn't begin with "javascript:", we can improve it later. BTW, here are some border cases, please check them as well http://ha.ckers.org/xss.html <Toms> RESOLVED in 1.9 r.25826 <pavels> Validation should be performed in CTrigger::checkInput(), otherwise we'll be able to add a trigger with an incorrect URL through an API call. <Toms> RESOLVED in r.25966 <pavels> Please review my changes in 25972-25975. An for 1.8 please don't forget to make sure the hacks mentioned above don't work in older browsers. |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 01 ] |
(5) I think we can fix the "Latest data" link in the host menu too. <Toms> RESOLVED for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253. Not reproducible in 1.9. <pavels> CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 12 ] |
Please review my changes for 1.9 in (4), if everything is ok, you can merge the changes to the trunk. |
Comment by Toms (Inactive) [ 2012 Mar 21 ] |
Fixed for 1.8 in svn://svn.zabbix.com/branches/dev/ZBX-4253 r26251 |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 21 ] |
(6) Same as (4) "Validation should be performed in CTrigger::checkInput(), otherwise we'll be able to add a trigger with an incorrect URL through an API call." <Toms> I don't think there is CTrigger::checkInput() in 1.8 version <pavels> Right, my mistake. It has to be done in update_trigger() and add_trigger(). <Toms> RESOLVED in r26331 <pavels> CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2012 Mar 21 ] |
(7) You can allow quotes in the URL if you escape the URL with CJs::jsonEncode() in tr_status.php. <Toms> I don't think there is CJs::jsonEncode() in 1.8 version <pavels> You can use zbx_jsvalue() instead. <Toms> RESOLVED in r26331 <pavels> CLOSED. |
Comment by Toms (Inactive) [ 2012 Mar 23 ] |
Fixed in 1.8.12rc1 r26350 |
Comment by Oleksii Zagorskyi [ 2012 Mar 23 ] |
Fix Version/s: doesn't contain version for trunk branch. |
Comment by richlv [ 2012 Apr 04 ] |
(8) missing entry in the corresponding section of the trunk changelog <Toms> RESOLVED <Toms> CLOSED |