[
https://issues.apache.org/jira/browse/TAP5-2685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thiago Henrique De Paula Figueiredo closed TAP5-2685.
-----------------------------------------------------
Resolution: Not A Bug
Hello, [~aylwyne]!
I'm afraid this isn't a Tapestry issue. Both Tomcat and Jetty, in their own
error 404 pages, don't have this vulnerability, so a customized 404 page is the
actual culprit here.
> XSS reflection in AssetDispatcher 404 response
> ----------------------------------------------
>
> Key: TAP5-2685
> URL: https://issues.apache.org/jira/browse/TAP5-2685
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.7.2
> Reporter: Joshua Hodge
> Priority: Major
>
> If you try and go to an invalid asset URL and put a <script> tag in the URL,
> the AssetDispatcher sends a 404 error response with the raw path as the error
> message. This causes the script to be executed when the browser displays the
> 404 page.
> An example URI path would be:
> *
> /assets/e050db57533420555849da94aa7e042981598b81/publicke4p0<script>alert('Reflected-XSS')</script>r3974/combined.js
> The raw incoming path should be HTML escaped before sending it as the body of
> the error response.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
