[ https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16306701#comment-16306701 ]
ASF subversion and git services commented on DELTASPIKE-1307: ------------------------------------------------------------- Commit d95abe8c01d256da2ce0a5a88f4593138156a4e5 in deltaspike's branch refs/heads/master from [~struberg] [ https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;h=d95abe8 ] DELTASPIKE-1307 improve sanitise windowId Also guard against html injection > Deltaspike JSF: XSS WindowIdHtmlRenderer.java > --------------------------------------------- > > Key: DELTASPIKE-1307 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module > Affects Versions: 1.8.0 > Environment: any > Reporter: md > Assignee: Mark Struberg > Priority: Blocker > Labels: security > > 10 chars ough to be enough for XSS. > Try escaping your variables. > https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java > Line 80 > PoC > dswid='-open()-' -- This message was sent by Atlassian JIRA (v6.4.14#64029)