[
https://jira.codehaus.org/browse/JBEHAVE-654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=285394#comment-285394
]
Mauro Talevi edited comment on JBEHAVE-654 at 12/10/11 3:30 AM:
----------------------------------------------------------------
Pulled patch. Thanks.
was (Author: maurotalevi):
Pull patch. Thanks.
> LocalFrameContextView is succeptible to something like XSS (not a security
> issue though)
> ----------------------------------------------------------------------------------------
>
> Key: JBEHAVE-654
> URL: https://jira.codehaus.org/browse/JBEHAVE-654
> Project: JBehave
> Issue Type: Bug
> Components: Web Selenium
> Affects Versions: web-3.4.3
> Reporter: Alexander Lehmann
> Priority: Minor
> Fix For: web-3.5
>
>
> the status display in org.jbehave.web.selenium.LocalFrameContextView is
> constructing a html string for the current step by concatenating the strings
> with html tags, this will not work if the step itself contains html tags or
> javascript fragments.
> This doesn't cause any real issues but it makes the current step fail, in
> essence this is an injection error (if this were in a web application, this
> would be sufficient for a xss bug).
> I noticed this when writing an example xss story for my project, for now I
> just commented out the offending steps, I will submit a patch when I get
> around to on the weekend.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
