Bug #32186 HTML code in queries is not escaped when reporting replication errors
Submitted: 8 Nov 2007 14:18 Modified: 8 Aug 2008 15:21
Reporter: James Cohen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Web Severity:S3 (Non-critical)
Version:2.0 OS:Any
Assigned to: Mark Matthews CPU Architecture:Any
Tags: HTML, monitor, replication

[8 Nov 2007 14:18] James Cohen
Description:
Users can view the slave status of a server from within the "replication" tabbed area of the mysql monitor.

When a replication error generates an SQL error the troublesome SQL is included in the slave status.

If this query includes HTML tags they are rendered into the page instead of being escaped.

It's possible that some HTML tags within the page could effect the way that the page is rendered.

There are also potential security risks as someone might be able to include javascript that would be executed by the user's browser.

How to repeat:
(SQL is untested)

Set up replication between two databases. db1 is the master, db2 is the slave.

db1:
CREATE TABLE test ( test1 INT , html VARCHAR(100) );

db2:
DROP TABLE test;

db1:
INSERT INTO test (1,'This is <b>bold</b> html');

This will cause a replication error on db2 because the table test doesn't exist.

The replication error will include the INSERT query. If you view this from within the replcation section of the monitor you'll see "bold" appear rendered in bold instead of seeing <b>bold</b>

Suggested fix:
Escape any HTML entities (< > " etc) when rendering the HTML.
[28 Nov 2007 1:39] Joshua Ganderson
We can't generically escape all all returned strings since some of our messages require markup in them. The primary example of this is all of our wiki text. However, some of the messages in our resource bundles also include spans where necessary.

Instead, I'll audit for places that strings are inserted that we don't manage.
[28 Nov 2007 17:37] Joshua Ganderson
patch sent
[28 Nov 2007 23:54] Joshua Ganderson
R8379

Please reopen for 2.0 after testing

Test
1.  set up replication between two databases with A being master and B being slave
2. A > CREATE TABLE test (test1 INT, html VARCHAR(100));
3. B > DROP TABLE test;
4. A > INSERT INTO test (1, 'this is <b>bold</b> html');
5. check for the error on B, the message should be 'this is bold html' where the "bold" part IS NOT bold.
[29 Nov 2007 21:21] Bill Weber
- verified fixed in 1.3.0.8384
- re-opened since this needs to also now be fixed in the next major release, version 2.0
[2 Feb 2008 2:25] Joshua Ganderson
r5920 - fixed in 2.0. Updated the regular expressions used for the string transformation helper methods to account for pre-escaped elements.
[5 Aug 2008 23:29] Bill Weber
verified this is also fixed in 2.0
[8 Aug 2008 15:21] Tony Bedford
An entry was added to the 1.3 and 2.0 changelogs:

HTML code in queries was not escaped when reporting replication errors, causing the code to be rendered into the page.