[jira] [Commented] (TAP5-2811) Possible XSS issue with Confirm mixin and certain user code

Tue, 12 Aug 2025 18:13:03 -0700 


    [ 
https://issues.apache.org/jira/browse/TAP5-2811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013559#comment-18013559
 ] 

Hudson commented on TAP5-2811:
------------------------------

SUCCESS: Integrated in Jenkins build Tapestry ยป 
tapestry-javax-java-11-freestyle #76 (See 
[https://ci-builds.apache.org/job/Tapestry/job/tapestry-javax-java-11-freestyle/76/])
TAP5-2811: fixing possible XSS in Confirm mixin JS (thiago: rev 
ce496a84c0f6f0f85bb4741758f56cd008008b39)
* (edit) 
tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/ConfirmDemo.java
* (add) tapestry-core/src/main/typescript/src/t5/core/html-sanitizer.ts
* (edit) 
tapestry-core/src/test/groovy/org/apache/tapestry5/integration/app1/ConfirmMixinTests.groovy
* (edit) tapestry-core/src/test/app1/ConfirmDemo.tml
* (edit) tapestry-core/src/main/typescript/src/t5/core/confirm-click.ts


> Possible XSS issue with Confirm mixin and certain user code
> -----------------------------------------------------------
>
>                 Key: TAP5-2811
>                 URL: https://issues.apache.org/jira/browse/TAP5-2811
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.9.0
>            Reporter: Thiago Henrique De Paula Figueiredo
>            Assignee: Thiago Henrique De Paula Figueiredo
>            Priority: Major
>             Fix For: 5.10.0
>
>
> This was brought to our attention by Yannick Dylla 
> ([https://github.com/ydylla),] who we thank very much.
> The Confirm mixin JavaScript doesn't sanitize the input it gets from user 
> code, so, given certain circumstances, it may allow a XSS injection. Here's 
> the example provided by Yannick:
> When using it as following in a tml template:
> <t:eventlink t:mixins="Confirm" t:Confirm.message="Delete
> ${name}?"><h1>Click me</h1></t:eventlink>
> and where the ${name} property is user controlled, it its possible to
> inject JavaScript code that is executed when the eventlink is clicked.
> For example with this name: "Evil Name<script>alert('Successful
> XSS!')</script>".
> The Confirm.message gets correctly escaped when Confirm.java [1] writes
> it as attribute in the html.
> But confirm-click.coffee [2] then uses a string template without any
> escaping, to append the modal html to the body tag.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to