XSS vulnerability: HtmlResponse output does not escape URLs in HTML
-------------------------------------------------------------------
Key: SLING-2082
URL: https://issues.apache.org/jira/browse/SLING-2082
Project: Sling
Issue Type: Bug
Components: API, Servlets
Reporter: Alexander Klimetschek
A POST request including a <script> in the URL can lead to execution of that
script in the browser:
http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e
Test with curl:
curl -X POST
"http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"
I think this applies to both org/apache/sling/api/servlets/HtmlResponse and
org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the
first one.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
