cnsgithub created MYFACES-4266:
----------------------------------
Summary: Ajax update fails due to invalid characters in response
XML (DoS)
Key: MYFACES-4266
URL: https://issues.apache.org/jira/browse/MYFACES-4266
Project: MyFaces Core
Issue Type: Bug
Affects Versions: 2.3.2
Environment: jetty 9.4.14.v20181114
JDK 10
Reporter: cnsgithub
I noticed that the {{<f:ajax />}} update fails when the updated form contains
unicode characters, which are not allowed in the [XML 1.0
spec|https://www.w3.org/TR/REC-xml/#charsets].
h2. Expected Behaviour
If the update response contains characters that are not allowed in XML, they
should be filtered by MyFaces before writing the response.
h2. Actual Behaviour
Some illegal XML characters are not filtered and therefore the browser fails to
parse the response.
h2. Steps to reproduce
I created a small github project to reproduce this behaviour:
[https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
To reproduce:
- {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
- {{git checkout myfaces}}
- run {{mvn clean package jetty:run}}
- after the server has started, open [http://localhost:8080/index.xhtml]
- Click the button, the error should occur
The issue also occurs with user supplied inputs:
- open [http://localhost:8080/input.xhtml]
- Paste the characters from the {{illegal-xml-chars.txt}} file into the input
field
- Click the button
This issue should be addressed with high priority since it is security related
(might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
