HtmlRendererServlet allows outputting arbitrary HTML
----------------------------------------------------
Key: SLING-2427
URL: https://issues.apache.org/jira/browse/SLING-2427
Project: Sling
Issue Type: Bug
Components: Servlets
Affects Versions: Servlets Get 2.1.2
Reporter: Carl Hall
Assignee: Carl Hall
When using HtmlRendererServlet to return content in an HTML format, it is
possible to inject arbitrary HTML into the returned page.
To reproduce:
1. Add a node of content
* curl -u admin:admin -F test=true http://localhost:8080/test_node
2. Get the new node in HTML format and append extra data to the URL
* http://localhost:8080/test_node.html/<font size='88' color='red'>VOTE
SLING</font><iframe height=800 width=600 src='http://www.uva.nl' /></iframe>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
