[jira] [Reopened] (SLING-2082) XSS vulnerability: HtmlResponse output does not escape URLs in HTML

Bertrand Delacretaz (JIRA) Tue, 24 May 2011 04:41:33 -0700

     [ 
https://issues.apache.org/jira/browse/SLING-2082?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Bertrand Delacretaz reopened SLING-2082:
----------------------------------------


HTML escaping is already available in the 
org.apache.sling.api.request.ResponseUtil class, we should use that instead.

> XSS vulnerability: HtmlResponse output does not escape URLs in HTML
> -------------------------------------------------------------------
>
>                 Key: SLING-2082
>                 URL: https://issues.apache.org/jira/browse/SLING-2082
>             Project: Sling
>          Issue Type: Bug
>          Components: API, Servlets
>    Affects Versions: Servlets Post 2.1.0, API 2.2.0
>            Reporter: Alexander Klimetschek
>            Assignee: Bertrand Delacretaz
>             Fix For: Servlets Post 2.1.2, API 2.2.2
>
>
> A POST request including a <script> in the URL can lead to execution of that 
> script in the browser:
> http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e
> Test with curl:
> curl -X POST 
> "http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"
> I think this applies to both org/apache/sling/api/servlets/HtmlResponse and 
> org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the 
> first one.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Reopened] (SLING-2082) XSS vulnerability: HtmlResponse output does not escape URLs in HTML

Reply via email to