[
https://issues.apache.org/jira/browse/SLING-2082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13051797#comment-13051797
]
Tobias Bocanegra commented on SLING-2082:
-----------------------------------------
the escaping changed the readability of the response, because it now escapes
the <pre> and <br> tags. which now don't look nice in the browser anymore.
the intention of the xhtml response was that it is human and machine readable.
further, it alters the DOM of the chagelog entry which might cause backward
compatibility.
IMO it would be better to only escape the actual changelog entries instead of
the entire changelog.
eg:
<td>ChangeLog</td>
<td><div id="ChangeLog">
<pre>created("/foo.txt");<br/>created("/bar.txt");<br/></pre>
</div></td>
> XSS vulnerability: HtmlResponse output does not escape URLs in HTML
> -------------------------------------------------------------------
>
> Key: SLING-2082
> URL: https://issues.apache.org/jira/browse/SLING-2082
> Project: Sling
> Issue Type: Bug
> Components: API, Servlets
> Affects Versions: Servlets Post 2.1.0, API 2.2.0
> Reporter: Alexander Klimetschek
> Assignee: Bertrand Delacretaz
> Fix For: Servlets Post 2.1.2, API 2.2.2
>
>
> A POST request including a <script> in the URL can lead to execution of that
> script in the browser:
> http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e
> Test with curl:
> curl -X POST
> "http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"
> I think this applies to both org/apache/sling/api/servlets/HtmlResponse and
> org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the
> first one.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
