Hi, we don't take a "complete unchecked" value at all. If you check AbstractClientWindowStrategy#getWindowId() - we cut down the windowId to max. 10 chars.
Regards, Thomas 2016-04-05 6:07 GMT+02:00 Thomas Frühbeck <[email protected]>: > Hi, > I couldn't find out, how to notify you correctly.. > > Can you please take a look at WindowIdHtmlRenderer, line 62 to 78? > > My tests confirm, that you take the unchecked value of windowId, which may > have been provided by the client at will. > So a javascript injection at line 78 is possible. > > Details may be provided if necessary. > > Regards and my greatest thanks for your work and commitment. > > Thomas >
