Severity: moderate
Description:
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP
portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.
Mitigation:
If a project was generated from the affected maven archetype using a command
like the following:
mvn archetype:generate \
-DarchetypeGroupId=org.apache.portals.pluto.archetype \
-DarchetypeArtifactId=mvcbean-jsp-portlet-archetype \
-DarchetypeVersion=3.1.0 \
-DgroupId=com.mycompany \
-DartifactId=com.mycompany.my.mvcbean.jsp.portlet
Then developers must fix the generated greeting.jspx file by escaping the
rendered values submitted to the "First Name" and "Last Name" fields.
For example, change:
<span>${user.firstName} ${user.lastName}! </span>
To:
<span>${mvc.encoders.html(user.firstName)}
${mvc.encoders.html(user.lastName)}! </span>
Moving forward, all such projects should be generated from version 3.1.1 of the
Maven archetype.
