[
https://issues.apache.org/jira/browse/CLK-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bob Schellink resolved CLK-762.
-------------------------------
Resolution: Fixed
Assignee: Bob Schellink
Thanks, fix checked in
> Cross Site Scripting Issue in ErrorPage
> ---------------------------------------
>
> Key: CLK-762
> URL: https://issues.apache.org/jira/browse/CLK-762
> Project: Click
> Issue Type: Bug
> Environment: N/A
> Reporter: Tsuyoshi Yamamoto
> Assignee: Bob Schellink
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Click 2.3.0 line 289 in ErrorReport.java should be HTMLescaped, because
> QueryString may include the malicious HTML / JavaScript which causes Cross
> Site Scripting on ErrorPage.
> For example, Click causes java.lang.NumberFormatException when the query
> string 'id' expects a value in integer but string is passed. And if the
> string is '241<script>alert(20908)</script>' then we can see the popup on
> ErrorPage that results the vulnerability of the webapp.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
