Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security
problem
------------------------------------------------------------------------------------
Key: TOMAHAWK-1391
URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
Project: MyFaces Tomahawk
Issue Type: Improvement
Components: ExtensionsFilter
Affects Versions: 1.1.8
Reporter: Kennard Consulting
Priority: Minor
A recommended practice to security 'hardening' a Web site is to divulge as
little architectual information as possible. For example, we suppress the
X-Server HTTP header so you don't know what server we are using. We map '*.jsf'
to something else so you can't tell we're using JSF.
However, one giveaway is that in
org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method
getCodeBeforeBodyEnd(), around line 111, there is the line:
return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
This always outputs 'MYFACES' into the HTML whenever the
ExtensionsPhaseListener is used (even if there is no actual JavaScript being
output). I would like to see this line change to simply...
return writerWrapper.toString();
Which would not give away we are using JSF.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
