Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1515355

Summary: Text Injection possible
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: UI - OPSAssignee: Martin Povolny <mpovolny>
Status: CLOSED WONTFIX QA Contact: Vatsal Parekh <vparekh>
Severity: low Docs Contact:
Priority: low    
Version: 5.8.0CC: dajohnso, hkataria, jhardy, jkrocil, mpovolny, obarenbo, simaishi, vparekh
Target Milestone: GAKeywords: ZStream
Target Release: 5.8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ui:flash_msg
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1475303 Environment:
Last Closed: 2018-04-18 10:05:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Bug Depends On: 1475303    
Bug Blocks:    

Comment 2 CFME Bot 2017-11-20 16:38:23 UTC
New commit detected on ManageIQ/manageiq-ui-classic/fine:

commit da77dafa31e78d1d9f10b6f145d4f5167c850621
Author:     Milan Zázrivec <>
AuthorDate: Tue Oct 17 12:42:01 2017 +0200
Commit:     Satoe Imaishi <>
CommitDate: Mon Nov 20 11:36:40 2017 -0500

    Merge pull request #2412 from martinpovolny/redirect_flash_orchestration_stack
    OrchestrationStack template copy: use session, not URL to pass the fl…
    (cherry picked from commit 64451638e04dc909b5d31c4ff23c7710342bc3d5)

 app/controllers/orchestration_stack_controller.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Comment 3 Vatsal Parekh 2017-12-15 10:05:45 UTC
Still seeing this at some places, like after ordering a Catalog.

Comment 5 Martin Povolny 2018-04-18 10:05:05 UTC
Here's the latest PR on this:

Changes are in too many places to put this into 5.8.x so closing this as won't fix.

This is going to be fixed in the next release (6.0), clone: