AppFuse
  1. AppFuse
  2. APF-880

messages.jsp - cross site scripting

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0-RC1
    • Fix Version/s: 2.0 Final
    • Labels:
      None
    • Environment:
      winxp, jetty, postgres, IE

      Description

      I use addError(...) to reflect messages to user - including user input

      if user input is something like <script>alert('hi');</script> - JS is being executed.

      old:
      <c:out value="$

      {msg}" escapeXml="false"/>

      I suggest:
      <c:out value="${msg}

      " escapeXml="true"/>

      same goes with errors. -> $

      {error}

        Activity

        Hide
        Matt Raible added a comment -

        It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent:

        User information for <strong>

        {0}

        </strong> has been added successfully.

        Oh well, XSS is more important I suppose.

        Show
        Matt Raible added a comment - It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent: User information for <strong> {0} </strong> has been added successfully. Oh well, XSS is more important I suppose.

          People

          • Assignee:
            Matt Raible
            Reporter:
            spotlight2001
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development