[
https://issues.apache.org/jira/browse/ISIS-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andi Huber updated ISIS-3077:
-----------------------------
Description:
Problem is with Wicket Viewer's scalar value output rendering: string value
gets interpreted/executed by the browser. Vulnerability was probably introduced
post M7.
see
https://the-asf.slack.com/archives/CFC42LWBV/p1655298008979249?thread_ts=1655296945.755859&cid=CFC42LWBV
was:
Problem is with our use of Wicket's
org.apache.wicket.markup.html.form.TextField<T>: input gets
interpreted/executed by the browser.
see
https://the-asf.slack.com/archives/CFC42LWBV/p1655298008979249?thread_ts=1655296945.755859&cid=CFC42LWBV
> [Vulnerability] All HTML Inputs need to be Escaped in Order to Avoid XSS
> Vulnarabilities
> ----------------------------------------------------------------------------------------
>
> Key: ISIS-3077
> URL: https://issues.apache.org/jira/browse/ISIS-3077
> Project: Isis
> Issue Type: Bug
> Components: Isis Viewer Wicket
> Reporter: Jörg Rade
> Assignee: Andi Huber
> Priority: Critical
> Fix For: 2.0.0-M8
>
>
> Problem is with Wicket Viewer's scalar value output rendering: string value
> gets interpreted/executed by the browser. Vulnerability was probably
> introduced post M7.
> see
> https://the-asf.slack.com/archives/CFC42LWBV/p1655298008979249?thread_ts=1655296945.755859&cid=CFC42LWBV
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
