[
https://issues.apache.org/jira/browse/TAP5-2811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18014274#comment-18014274
]
ASF subversion and git services commented on TAP5-2811:
-------------------------------------------------------
Commit f32d32d49d686523213f5a91a273bfb7e70ef9af in tapestry-5's branch
refs/heads/gradle-improvements from Thiago H. de Paula Figueiredo
[ https://gitbox.apache.org/repos/asf?p=tapestry-5.git;h=f32d32d49 ]
TAP5-2811: fixing possible XSS in Confirm mixin JS
Thanks Yannick Dylla (https://github.com/ydylla) for bringing this to
our attention!
> Possible XSS issue with Confirm mixin and certain user code
> -----------------------------------------------------------
>
> Key: TAP5-2811
> URL: https://issues.apache.org/jira/browse/TAP5-2811
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.9.0
> Reporter: Thiago Henrique De Paula Figueiredo
> Assignee: Thiago Henrique De Paula Figueiredo
> Priority: Major
> Fix For: 5.10.0
>
>
> This was brought to our attention by Yannick Dylla
> ([https://github.com/ydylla),] who we thank very much.
> The Confirm mixin JavaScript doesn't sanitize the input it gets from user
> code, so, given certain circumstances, it may allow a XSS injection. Here's
> the example provided by Yannick:
> When using it as following in a tml template:
> <t:eventlink t:mixins="Confirm" t:Confirm.message="Delete
> ${name}?"><h1>Click me</h1></t:eventlink>
> and where the ${name} property is user controlled, it its possible to
> inject JavaScript code that is executed when the eventlink is clicked.
> For example with this name: "Evil Name<script>alert('Successful
> XSS!')</script>".
> The Confirm.message gets correctly escaped when Confirm.java [1] writes
> it as attribute in the html.
> But confirm-click.coffee [2] then uses a string template without any
> escaping, to append the modal html to the body tag.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
