[
https://issues.apache.org/jira/browse/TAP5-2811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thiago Henrique De Paula Figueiredo reassigned TAP5-2811:
---------------------------------------------------------
Assignee: Thiago Henrique De Paula Figueiredo
> Possible XSS issue with Confirm mixin and certain user code
> -----------------------------------------------------------
>
> Key: TAP5-2811
> URL: https://issues.apache.org/jira/browse/TAP5-2811
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.9.0
> Reporter: Thiago Henrique De Paula Figueiredo
> Assignee: Thiago Henrique De Paula Figueiredo
> Priority: Major
>
> This was brought to our attention by Yannick Dylla
> ([https://github.com/ydylla),] who we thank very much.
> The Confirm mixin JavaScript doesn't sanitize the input it gets from user
> code, so, given certain circumstances, it may allow a XSS injection. Here's
> the example provided by Yannick:
> When using it as following in a tml template:
> <t:eventlink t:mixins="Confirm" t:Confirm.message="Delete
> ${name}?"><h1>Click me</h1></t:eventlink>
> and where the ${name} property is user controlled, it its possible to
> inject JavaScript code that is executed when the eventlink is clicked.
> For example with this name: "Evil Name<script>alert('Successful
> XSS!')</script>".
> The Confirm.message gets correctly escaped when Confirm.java [1] writes
> it as attribute in the html.
> But confirm-click.coffee [2] then uses a string template without any
> escaping, to append the modal html to the body tag.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
