AppFuse

messages.jsp - cross site scripting

Details

  • Type: Improvement Improvement
  • Status: Resolved Resolved
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 2.0-RC1
  • Fix Version/s: 2.0 Final
  • Labels:
    None
  • Environment:
    winxp, jetty, postgres, IE

Description

I use addError(...) to reflect messages to user - including user input

if user input is something like <script>alert('hi');</script> - JS is being executed.

old:
<c:out value="${msg}" escapeXml="false"/>

I suggest:
<c:out value="${msg}" escapeXml="true"/>

same goes with errors. -> ${error}

Activity

Hide
Matt Raible added a comment - 13/Sep/07 4:36 PM
It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent:

User information for <strong>{0}</strong> has been added successfully.

Oh well, XSS is more important I suppose.
Show
Matt Raible added a comment - 13/Sep/07 4:36 PM It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent: User information for <strong>{0}</strong> has been added successfully. Oh well, XSS is more important I suppose.

People

Vote (0)
Watch (0)

Dates

  • Created:
    12/Sep/07 3:41 AM
    Updated:
    17/Sep/08 9:51 PM
    Resolved:
    13/Sep/07 5:35 PM