[
https://issues.apache.org/jira/browse/JCR-1925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jukka Zitting updated JCR-1925:
-------------------------------
Description:
Some of the jackrabbit-webapp forms don't properly escape user input when
displaying it in the resulting HTML page. This leads to potential cross site
scripting issues. For example:
search.jsp?q=%25%22%3Cscript%3Ealert(1)%3C/script%3E
swr.jsp?q=%25"<script>alert(1)</script>&swrnum=1
The CVE id for this issue is CVE-2009-0026
was:
Some of the jackrabbit-webapp forms don't properly escape user input when
displaying it in the resulting HTML page. This leads to potential cross site
scripting issues. For example:
search.jsp?q=%25%22%3Cscript%3Ealert(1)%3C/script%3E
swr.jsp?q=%25"<script>alert(1)</script>&swrnum=1
> Cross site scripting issues in webapp
> -------------------------------------
>
> Key: JCR-1925
> URL: https://issues.apache.org/jira/browse/JCR-1925
> Project: Jackrabbit
> Issue Type: Bug
> Components: jackrabbit-webapp
> Affects Versions: 1.5.0
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Fix For: 1.5.1
>
>
> Some of the jackrabbit-webapp forms don't properly escape user input when
> displaying it in the resulting HTML page. This leads to potential cross site
> scripting issues. For example:
> search.jsp?q=%25%22%3Cscript%3Ealert(1)%3C/script%3E
> swr.jsp?q=%25"<script>alert(1)</script>&swrnum=1
> The CVE id for this issue is CVE-2009-0026
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
