Fixes #12611 - CVE-2015-7518 prevent XSS on host edit form
The host edit forms allowed stored XSS attacks by storing html content in smart class parameter and smart variable description or inherited values, which is then passed unescaped to an html-allowing popover. This patch makes sure these user-controlled strings are correctly escaped before being inserted into the popover.
(cherry picked from commit 32468bce938067b1bbde1c2025771b5b83ce88ec)
Related issues
Bug #12611: CVE-2015-7518 - Smart class parameters/variables shown on host edit allows stored XSS in description
Added by Tomer Brisker over 8 years ago
Fixes #12611 - CVE-2015-7518 prevent XSS on host edit form
The host edit forms allowed stored XSS attacks by storing html content
in smart class parameter and smart variable description or inherited
values, which is then passed unescaped to an html-allowing popover.
This patch makes sure these user-controlled strings are correctly
escaped before being inserted into the popover.
(cherry picked from commit 32468bce938067b1bbde1c2025771b5b83ce88ec)