[
https://issues.apache.org/jira/browse/ISIS-884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14136897#comment-14136897
]
Dan Haywood commented on ISIS-884:
----------------------------------
Not a lot has been done since 1.6.0, my attention has been on the new
isisaddons.org stuff.
Two options:
- either I could create a branch for 1.6.1 from where we are right now, and
then bump that branch down to JDK 1.6.
- or, (since this is all on github), YOU could create a branch from the commit
before we bumped to JDK 1.7.0 [1], and then cherry pick the relevant commits
after that. Raise a PR and I'll use that as the basis for a new release.
The second option will give you more control over when this gets done, so I'd
probably prefer, and I think the commits are reasonably clean to cherry pick,
though you'd need to try it to find out.
[1]
https://github.com/apache/isis/commit/9e889abd829d40805fa1118ef8d93e396f82de01
> ErrorPage vulnerable to XSS attacks.
> ------------------------------------
>
> Key: ISIS-884
> URL: https://issues.apache.org/jira/browse/ISIS-884
> Project: Isis
> Issue Type: Bug
> Components: Viewer: Wicket
> Affects Versions: viewer-wicket-1.6.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Priority: Blocker
> Fix For: viewer-wicket-1.7.0
>
>
> The default error page
> (org.apache.isis.viewer.wicket.ui.pages.error.ErrorPage) is vulnerable to XSS
> via org.apache.isis.viewer.wicket.ui.errors.ExceptionStackTracePanel
> In the constructor of ExceptionStackTracePanel, it adds a Label with the
> exception message and calls setEscapeModelStrings(false)
> This means any URL that a URL be constructed to reference an entity with
> Javascript inserted where the OID should be and an exception is thrown with
> the Javascript code inserted in to the message.
> This is then written to the page un-escaped to be executed in the users
> session.
> It is made worse by the bookmarkable feature (I think that's what does this),
> where an attacker can navigate to a crafted URL on a user's PC, if they don't
> close all of their browser windows before the session times out, when they
> log in they will be redirected to the crafted URL.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
