[jira] [Commented] (ISIS-3077) [Vulnerability] All HTML Inputs need to be Escaped in Order to Avoid XSS Vulnarabilities

ASF subversion and git services (Jira) Wed, 15 Jun 2022 08:44:37 -0700


    [ 
https://issues.apache.org/jira/browse/ISIS-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554673#comment-17554673
 ]


ASF subversion and git services commented on ISIS-3077:
-------------------------------------------------------

Commit 3d599511d2424c87617689a674b39ce1d75bffe2 in isis's branch 
refs/heads/master from Andi Huber
[ https://gitbox.apache.org/repos/asf?p=isis.git;h=3d599511d2 ]

ISIS-3077: fixes Wicket Viewer XSS vulnerability

- use a Wicket Label instead of a Markup (plain html) component when
rendering scalar value output

> [Vulnerability] All HTML Inputs need to be Escaped in Order to Avoid XSS 
> Vulnarabilities
> ----------------------------------------------------------------------------------------
>
>                 Key: ISIS-3077
>                 URL: https://issues.apache.org/jira/browse/ISIS-3077
>             Project: Isis
>          Issue Type: Bug
>          Components: Isis Viewer Wicket
>    Affects Versions: 2.0.0-M7
>            Reporter: Jörg Rade
>            Assignee: Andi Huber
>            Priority: Critical
>             Fix For: 2.0.0-M8
>
>
> Problem is with our use of Wicket's 
> org.apache.wicket.markup.html.form.TextField<T>: input gets 
> interpreted/executed by the browser.
> see
> https://the-asf.slack.com/archives/CFC42LWBV/p1655298008979249?thread_ts=1655296945.755859&cid=CFC42LWBV



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

[jira] [Commented] (ISIS-3077) [Vulnerability] All HTML Inputs need to be Escaped in Order to Avoid XSS Vulnarabilities

Reply via email to