[
https://jira.codehaus.org/browse/JBEHAVE-654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=285380#comment-285380
]
Alexander Lehmann commented on JBEHAVE-654:
-------------------------------------------
https://github.com/alexlehm/jbehave-web/commit/7589d8138ce1c54efe2bb5f61995e4432949e11c
JBEHAVE-654: LocalFrameContextView is succeptible to something like XSS
properly encode input parameters as html
> LocalFrameContextView is succeptible to something like XSS (not a security
> issue though)
> ----------------------------------------------------------------------------------------
>
> Key: JBEHAVE-654
> URL: https://jira.codehaus.org/browse/JBEHAVE-654
> Project: JBehave
> Issue Type: Bug
> Components: Web Selenium
> Affects Versions: web-3.4.3
> Reporter: Alexander Lehmann
> Priority: Minor
>
> the status display in org.jbehave.web.selenium.LocalFrameContextView is
> constructing a html string for the current step by concatenating the strings
> with html tags, this will not work if the step itself contains html tags or
> javascript fragments.
> This doesn't cause any real issues but it makes the current step fail, in
> essence this is an injection error (if this were in a web application, this
> would be sufficient for a xss bug).
> I noticed this when writing an example xss story for my project, for now I
> just commented out the offending steps, I will submit a patch when I get
> around to on the weekend.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
