[jira] Created: (TRINIDAD-1258) GenericEntry allows invalid locale parameter

GenericEntry allows invalid locale parameter - XSS vulnerability in 
LocaleInfoScriptlet
---------------------------------------------------------------------------------------


                 Key: TRINIDAD-1258
                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
             Project: MyFaces Trinidad
          Issue Type: Bug
          Components: Components
    Affects Versions: 1.2.9-core
            Reporter: Yee-Wah Lee
            Priority: Minor


1. Run the inputDate demo
http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx

2. Open the inputDate popup and copy its URL using right click/Properties 
http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8

3. Modify the URL to replace the loc parameter value with 
<script>alert(document.cookie)</script>
http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8

4. Load the modified URL in the browser - an alert popup appears. 


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Created: (TRINIDAD-1258) GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet

Reply via email to