messages.jsp - cross site scripting

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.0-RC1
Fix Version/s: 2.0 Final
Component/s: Web - JSF, Web - Spring, Web - Tapestry
Labels:
None
Environment:
winxp, jetty, postgres, IE

Description

I use addError(...) to reflect messages to user - including user input

if user input is something like <script>alert('hi');</script> - JS is being executed.

old:
<c:out value="$

{msg}" escapeXml="false"/>

I suggest:
<c:out value="${msg}

" escapeXml="true"/>

same goes with errors. -> $

{error}

Activity

Hide

Permalink

Matt Raible added a comment - 13/Sep/07 4:36 PM

It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent:

User information for <strong>

{0}

</strong> has been added successfully.

Oh well, XSS is more important I suppose.

Show

Matt Raible added a comment - 13/Sep/07 4:36 PM It's unfortunate to have to change this because we use HTML to make certain parts of messages more apparent: User information for <strong> {0} </strong> has been added successfully. Oh well, XSS is more important I suppose.

People

Assignee:

Matt Raible

Reporter:

spotlight2001

Vote (0)

Watch (0)

Dates

Created:

12/Sep/07 3:41 AM

Updated:

17/Sep/08 9:51 PM

Resolved:

13/Sep/07 5:35 PM