[jira] [Commented] (WICKET-3946) input is not escaped in validation errors

Mikhail Fedko (JIRA) Thu, 04 Aug 2011 04:16:03 -0700

    [ 
https://issues.apache.org/jira/browse/WICKET-3946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079327#comment-13079327
 ]


Mikhail Fedko commented on WICKET-3946:
---------------------------------------

Quick fix:
FormComponent.MessageSource#addDefaultVars
                        // add the input param if not already present
                        if (!fullParams.containsKey("input"))
                        {
--                              fullParams.put("input", getInput());
++                              fullParams.put("input", 
Strings.escapeMarkup(getInput()));
                        }


> input is not escaped in validation errors 
> ------------------------------------------
>
>                 Key: WICKET-3946
>                 URL: https://issues.apache.org/jira/browse/WICKET-3946
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 1.4.17
>            Reporter: Mikhail Fedko
>
> hi,
> when I add TextField<Integer>("field", Model.of(0), Integer.class)
> and input inside field something like <script>alert('XSS')</script> the input 
> is not escaped, I just get
> '' is not a valid Integer. + alert

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WICKET-3946) input is not escaped in validation errors

Reply via email to