[jira] [Resolved] (TOMAHAWK-1637) Potential XSS security issue in FieldsetRenderer

Wed, 03 Oct 2012 20:07:11 -0700 

     [ 
https://issues.apache.org/jira/browse/TOMAHAWK-1637?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Leonardo Uribe resolved TOMAHAWK-1637.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.1.14-SNAPSHOT
         Assignee: Leonardo Uribe

In my opinion the risk is very low, but anyway it is worth to solve it. 

I also checked other possible locations and there was one line that renders the 
label for a SelectItemGroup using write() without check for escape attribute. 
After looking in deep, this seems to be a leftover of JSF 1.0, because in 
practice there is not any component that uses SelectItemGroup, so in almost all 
cases SelectItem is used.
                
> Potential XSS security issue in FieldsetRenderer
> ------------------------------------------------
>
>                 Key: TOMAHAWK-1637
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1637
>             Project: MyFaces Tomahawk
>          Issue Type: Bug
>    Affects Versions: 1.1.11
>         Environment: MyFaces Core 2.1.6, Tomahawk20 1.1.11
>            Reporter: dennis hoersch
>            Assignee: Leonardo Uribe
>             Fix For: 1.1.14-SNAPSHOT
>
>
> Hi,
> we found that the FieldsetRenderer outputs the legend directly without 
> escaping it. 
> An example: If the variable someVar has the following content
> <script>alert("XSS");</script>
> Using
> <t:fieldset legend="#{requestScope.someVar}">CONTENT</t:fieldset>
> it outputs:
> <fieldset>
>   <legend><script>alert('XSS');</script></legend>
>   CONTENT
> </fieldset>
> and the script is executed.
> The FieldsetRenderer uses the write() method of the ResponseWriter, changing 
> it to writeText() will escape it.
> There are some other usages with unescaped strings and the write() method 
> that may be a security issue too (was just a rough search):
> HtmlCheckboxRendererBase.java
>   223: writer.write(selectItem.getLabel()); 
> HtmlRadioRendererBase.java
>   197: writer.write(selectItem.getLabel());
>   325: writer.write(selectItemGroup.getLabel()); 
> Greetings and thank you

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to