[
https://issues.apache.org/jira/browse/BEEHIVE-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carlin Rogers resolved BEEHIVE-1197.
------------------------------------
Resolution: Fixed
Fix Version/s: V.Next
Scott, thanks for the contribution. I made some minor changes...
I did not add filterValue() to ParamHelper and left it in InternalUtils. It
uses HTML entities for encoding characters used to render on a page. Instead, I
just added some code in ScopedServletUtils to use escaped encoding for URI
since the framework uses this param in url rewriting, etc. Given this, I
changed the name of the new ScopedServletUtils routine
getHTMLEncodedScopeIDParam() to getScopeIdParamValue(). Let me know what you
think.
The changes are in SVN revision 545494. This includes junit and TestRecorder
tests.
Thanks again Scott!
> XSS Vulnerability in jpfScopeID
> -------------------------------
>
> Key: BEEHIVE-1197
> URL: https://issues.apache.org/jira/browse/BEEHIVE-1197
> Project: Beehive
> Issue Type: Bug
> Components: NetUI
> Affects Versions: V1Alpha, V1Beta, v1m1, 1.0, 1.0.1, 1.0.2, V.Next
> Environment: Any
> Reporter: Scott L'Hommedieu
> Assignee: Carlin Rogers
> Priority: Critical
> Fix For: V.Next
>
> Attachments: patch.txt
>
>
> When a processing a request to a url such as
> http://xxx/xx.jfp?jpfScopeID=";<script> , resulting links in response will
> include the scope id as is. Such as ?jpfScopeID="<>?.
> Since jpfScopeID appending is not controlled by end user code, this behavior
> possibly cause XSS vulnerability.
> For example, if giving url like
> .....submit.do?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E
> The browser will evaluate and run the script.
> This affects several tags and scoping bits.
> Fix is to html encode the jpfScopeID in ScopedServletUtils and call that from
> tags and such.
> I can attach a patch shortly.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
