Stefan Wegener created ISIS-2373:
------------------------------------
Summary: Upload attachment: Preview vulnerable to XSS for
html-attachments
Key: ISIS-2373
URL: https://issues.apache.org/jira/browse/ISIS-2373
Project: Isis
Issue Type: Bug
Components: Isis Viewer Wicket
Affects Versions: 1.17.0
Reporter: Stefan Wegener
Attachments: isis-xss-1.png, isis-xss-2.png
First of all: I am not sure if the topic is placed here correctly as it might
only affect the wicket-Dependency that isis is using. But: As the current
wicket-version (7.9.0) that is used by isis is vulnerable to it, I should be
relevant to you.
I created the following HTML-document named xss_box.html:
{code:java}
<html>
<script language="JavaScript">
window.alert("Sometext");
</script>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
</head>
<body>...</body>
</html>
{code}
When selecting this document for an upload, usually a preview of the content
will be shown. In this case the client uploading the file executes the
javascript code and gets a modified preview content, as you can see in my
attached images.
I do not know if later wicket-versions (currently the newest version is 7.16.0)
are protected against this threat.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
