[#APF-880] messages.jsp - cross site scripting - AppFuse JIRA

AppFuse

messages.jsp - cross site scripting

Created: 12/Sep/07 03:41 AM Updated: 17/Sep/08 09:51 PM Resolved: 13/Sep/07 05:35 PM

Component/s:

Web - JSF, Web - Spring, Web - Tapestry

Affects Version/s:

2.0-RC1

Fix Version/s:

2.0 Final

Environment:

winxp, jetty, postgres, IE

Description

« Hide

I use addError(...) to reflect messages to user - including user input

if user input is something like <script>alert('hi');</script> - JS is being executed.

old:
<c:out value="${msg}" escapeXml="false"/>

I suggest:
<c:out value="${msg}" escapeXml="true"/>

same goes with errors. -> ${error}

Sort Order:

Matt Raible made changes - 13/Sep/07 04:30 PM

Field	Original Value	New Value
Fix Version/s		2.0 Final [ 10113 ]
Affects Version/s		2.0-RC1 [ 10151 ]
Affects Version/s	2.0 Final [ 10113 ]

[ Permalink | « Hide ]

Matt Raible added a comment - 13/Sep/07 04:36 PM

It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent:

User information for <strong>{0}</strong> has been added successfully.

Oh well, XSS is more important I suppose.

2943 by Matt Raible (45 files)

13/Sep/07 05:06 PM (28 months, 11 days ago)

~~APF-880~~: Fixed XSS issue in success/error messages by removing HTML from i18n bundles and changing messages.jsp so it does escape XML.

appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_zh_CN.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_pt_BR.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_nl.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_zh.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_zh_TW.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_es.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_pt.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_es.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_fr.properties 2943 (+6 -6) diffs
appfuse: trunk/web/jsf/src/main/webapp/common/messages.jsp 2943 (+23 -0) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_it.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_it.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_pt_BR.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_ko.properties 2943 (+7 -7) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_de.properties 2943 (+7 -7) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_zh_CN.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_de.properties 2943 (+7 -7) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_pt.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_it.properties 2943 (+6 -6) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_de.properties 2943 (+7 -7) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_pt_BR.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-jsf/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_es.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_zh_TW.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_ko.properties 2943 (+7 -7) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_nl.properties 2943 (+6 -6) diffs
appfuse: trunk/archetypes/appfuse-basic-struts/src/main/resources/archetype-resources/src/main/resources/ApplicationResources_tr.properties 2943 (+7 -7) diffs
appfuse: trunk/web/tapestry/src/main/webapp/common/messages.jsp 2943 (+23 -0) diffs
appfuse: trunk/web/common/src/main/resources/ApplicationResources_tr.properties 2943 (+7 -7) diffs
...15 more files in changeset

Matt Raible made changes - 13/Sep/07 05:35 PM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

2944 by Matt Raible (4 files)

13/Sep/07 06:04 PM (28 months, 11 days ago)

~~APF-880~~: Fixed XSS issue in success/error messages by removing HTML from i18n bundles and changing messages.jsp so it does escape XML.

appfuse: trunk/web/spring/src/test/resources/web-tests.xml 2944

(+2 -2) diffs

appfuse: trunk/web/jsf/src/test/resources/web-tests.xml 2944

(+2 -2) diffs

appfuse: trunk/web/struts/src/test/resources/web-tests.xml 2944

(+2 -2) diffs

appfuse: trunk/web/tapestry/src/test/resources/web-tests.xml 2944

(+2 -2) diffs

Matt Raible made changes - 06/Aug/08 09:23 AM

Comment

Matt Raible made changes - 17/Sep/08 09:51 PM

Comment