[
https://issues.apache.org/jira/browse/ISIS-3077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557890#comment-17557890
]
Andi Huber edited comment on ISIS-3077 at 6/23/22 9:01 AM:
-----------------------------------------------------------
# hardening Url value-type: prevent XSS attack URLs
# hardening Markup value-type: run unsafe html through Jsoup sanitizer during
value parsing
# output format of textual value types must be escaped, unless rendering badges
or placeholders or converted values
was (Author: hobrom):
# hardening Url value-type: prevent XSS attack URLs
# hardening Markup value-type: run unsafe html through Jsoup sanitizer during
value parsing
# output format of textual value types must be escaped, unless rendering badges
or placeholders
> [Vulnerability] Scalar Value Output Rendering is not escaped. (XSS
> Vulnarability)
> ---------------------------------------------------------------------------------
>
> Key: ISIS-3077
> URL: https://issues.apache.org/jira/browse/ISIS-3077
> Project: Isis
> Issue Type: Bug
> Components: Isis Viewer Wicket
> Reporter: Jörg Rade
> Assignee: Andi Huber
> Priority: Critical
> Labels: vulnerability
> Fix For: 2.0.0-M8
>
>
> Problem is with Wicket Viewer's scalar value output rendering: string value
> gets interpreted/executed by the browser. Vulnerability was probably
> introduced post M7.
> see
> https://the-asf.slack.com/archives/CFC42LWBV/p1655298008979249?thread_ts=1655296945.755859&cid=CFC42LWBV
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
