Severity:
Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.5.x, 6.x and 7.x
Description:
It is possible for JavaScript statements to break out of a ModalWindow's
title
- only quotes are escaped in the JavaScript settings object, allowing
JavaScript
to be injected into the markup.
This might pose a security threat if the written JavaScript contains
user provided data.
This vulnerability is fixed in
- Apache Wicket 7.2.0
- Apache Wicket 6.22.0
- Apache Wicket 1.5.15
The title is now escaped by default, this can be disabled explicitly via
modalWindow.setEscapeModelStrings(false).
Credit:
This issue was reported by Tobias Gierke!
Apache Wicket Team
