LocalFrameContextView is succeptible to something like XSS (not a security
issue though)
----------------------------------------------------------------------------------------
Key: JBEHAVE-654
URL: https://jira.codehaus.org/browse/JBEHAVE-654
Project: JBehave
Issue Type: Bug
Components: Web Selenium
Affects Versions: web-3.4.3
Reporter: Alexander Lehmann
Priority: Minor
the status display in org.jbehave.web.selenium.LocalFrameContextView is
constructing a html string for the current step by concatenating the strings
with html tags, this will not work if the step itself contains html tags or
javascript fragments.
This doesn't cause any real issues but it makes the current step fail, in
essence this is an injection error (if this were in a web application, this
would be sufficient for a xss bug).
I noticed this when writing an example xss story for my project, for now I just
commented out the offending steps, I will submit a patch when I get around to
on the weekend.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
