[
https://issues.apache.org/jira/browse/DELTASPIKE-752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185036#comment-14185036
]
Heiko Kopp commented on DELTASPIKE-752:
---------------------------------------
Its like I suspected. We do a window.open('....', 'MAKS' + newDate().getTime(),
options);
Somehow DeltaSpike simply 'adds' its ID to this instead of replacing it. As
this behaviour was simply to ensure each window gets a unique ID we can drop
this by using '_blank' and rely on DeltaSpike to distinguish the windows for
us. That would solve our problem.
However, maybe its a good idea to mention somehow, that the dswid-Parameter
will contain the original window.name + the window ID and this might lead to
too long window Ids being cut to 10 characters or u simply white clean the
HTML-code to prevent the XSS attack instead of securing the id by length.
> ensure a secure maximum length of the window-id
> -----------------------------------------------
>
> Key: DELTASPIKE-752
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-752
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module, JSF22-Module
> Affects Versions: 1.0.3
> Reporter: Heiko Kopp
> Priority: Critical
> Fix For: 1.0.4
>
>
> if the window-id is too long, we would need to escape it to avoid XSS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
