[jira] [Updated] (WICKET-4505) AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly

Jean-Philippe Boudreault (Updated) (JIRA) Tue, 17 Apr 2012 10:11:43 -0700

     [ 
https://issues.apache.org/jira/browse/WICKET-4505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jean-Philippe Boudreault updated WICKET-4505:
---------------------------------------------

    Description: 
User input is not escaped in all text fields by default (and the default is not 
configurable).

This leads to user entered text not being redisplayed correctly.

* You can replicate using the project from WICKET-3330.
* Just enter the text my&frac12;companyname and press enter
* The field will not redisplay the text entered properly

  was:
User input is not escaped in all text fields by default

This leads to user entered text not being redisplayed correctly and it also 
makes those text fields vulnerable to XSS.

* You can replicate using the project from WICKET-3330.
* Just enter the text my&frac12;companyname and press enter
* The field will not redisplay the text entered properly


edit : I did more testing with XSS and I was not able to exploit it. Therefore 
I updated the description.
                
> AbstractTextComponent not escaping html data by default therefore user text 
> is not redisplayed correctly
> --------------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-4505
>                 URL: https://issues.apache.org/jira/browse/WICKET-4505
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.5.5
>            Reporter: Jean-Philippe Boudreault
>         Attachments: screenshot-1.jpg
>
>
> User input is not escaped in all text fields by default (and the default is 
> not configurable).
> This leads to user entered text not being redisplayed correctly.
> * You can replicate using the project from WICKET-3330.
> * Just enter the text my&frac12;companyname and press enter
> * The field will not redisplay the text entered properly

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (WICKET-4505) AbstractTextComponent not escaping html data by default therefore user text is not redisplayed correctly

Reply via email to