[
https://issues.apache.org/jira/browse/TOMAHAWK-1391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe resolved TOMAHAWK-1391.
--------------------------------------
Resolution: Fixed
Fix Version/s: 1.1.9-SNAPSHOT
Assignee: Leonardo Uribe
Omit this string from response does not harm, so I just remove it as suggested.
> Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security
> problem
> ------------------------------------------------------------------------------------
>
> Key: TOMAHAWK-1391
> URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
> Project: MyFaces Tomahawk
> Issue Type: Improvement
> Components: ExtensionsFilter
> Affects Versions: 1.1.8
> Reporter: Kennard Consulting
> Assignee: Leonardo Uribe
> Priority: Minor
> Fix For: 1.1.9-SNAPSHOT
>
> Original Estimate: 0.17h
> Remaining Estimate: 0.17h
>
> A recommended practice to security 'hardening' a Web site is to divulge as
> little architectual information as possible. For example, we suppress the
> X-Server HTTP header so you don't know what server we are using. We map
> '*.jsf' to something else so you can't tell we're using JSF.
> However, one giveaway is that in
> org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method
> getCodeBeforeBodyEnd(), around line 111, there is the line:
> return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
> This always outputs 'MYFACES' into the HTML whenever the
> ExtensionsPhaseListener is used (even if there is no actual JavaScript being
> output). I would like to see this line change to simply...
> return writerWrapper.toString();
> Which would not give away we are using JSF.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
