[
https://issues.apache.org/jira/browse/SLING-2082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052237#comment-14052237
]
Bertrand Delacretaz commented on SLING-2082:
--------------------------------------------
FWIW here's a curl example that demonstrates the resulting encoding:
{code}
curl -s -e "<script>alert('argh')</script>" -X POST
http://localhost:8080/DOESNT_EXIST
<html>
<head>
<title>Error while processing /DOESNT_EXIST</title>
</head>
<body>
<h1>Error while processing /DOESNT_EXIST</h1>
...
<tr>
<td>Referer</td>
<td><a
href="<script>alert('argh')</script>"id="Referer"><script>alert('argh')</script></a></td>
</tr>
...
</body>
{code}
> XSS vulnerability: HtmlResponse output does not escape URLs in HTML
> -------------------------------------------------------------------
>
> Key: SLING-2082
> URL: https://issues.apache.org/jira/browse/SLING-2082
> Project: Sling
> Issue Type: Bug
> Components: API, Servlets
> Affects Versions: Servlets Post 2.1.0, API 2.2.0
> Reporter: Alexander Klimetschek
> Assignee: Bertrand Delacretaz
> Fix For: Servlets Post 2.1.2, API 2.2.2
>
>
> A POST request including a <script> in the URL can lead to execution of that
> script in the browser:
> http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e
> Test with curl:
> curl -X POST
> "http://localhost:4502/does/not/exist.html/%22%3e%3cscript%3ealert(29679)%3c/script%3e"
> I think this applies to both org/apache/sling/api/servlets/HtmlResponse and
> org/apache/sling/servlets/post/HtmlResponse, but not sure how to trigger the
> first one.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
