Cross Site Scripting Issue in ErrorPage
---------------------------------------
Key: CLK-762
URL: https://issues.apache.org/jira/browse/CLK-762
Project: Click
Issue Type: Bug
Environment: N/A
Reporter: Tsuyoshi Yamamoto
Click 2.3.0 line 289 in ErrorReport.java should be HTMLescaped, because
QueryString may include the malicious HTML / JavaScript which causes Cross Site
Scripting on ErrorPage.
For example, Click causes java.lang.NumberFormatException when the query string
'id' expects a value in integer but string is passed. And if the string is
'241<script>alert(20908)</script>' then we can see the popup on ErrorPage that
results the vulnerability of the webapp.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
