[
https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16307209#comment-16307209
]
Gerhard Petracek commented on DELTASPIKE-1307:
----------------------------------------------
@md:
fyi: if you think 10 chars are enough (to do more than useless calls), you can
change the max-length via
JsfBaseConfig.ScopeCustomization.WindowRestriction.ID_MAX_LENGTH (since the
beginning...).
the default-value is 10 because in the discussion back than it was excepted as
secure enough (in case you don't ship harmful scripts in your own app),
however, it's great to have the addition from mark!
> Deltaspike JSF: XSS WindowIdHtmlRenderer.java
> ---------------------------------------------
>
> Key: DELTASPIKE-1307
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module
> Affects Versions: 1.8.0
> Environment: any
> Reporter: md
> Assignee: Mark Struberg
> Priority: Blocker
> Labels: security
> Fix For: 1.8.1
>
>
> 10 chars ough to be enough for XSS.
> Try escaping your variables.
> https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
> Line 80
> PoC
> dswid='-open()-'
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
