[
https://issues.apache.org/jira/browse/STORM-408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14097614#comment-14097614
]
Parth Brahmbhatt commented on STORM-408:
----------------------------------------
According to https://github.com/janl/mustache.js/ when we use {{}} the content
is assumed to be unsafe and escaped by mustache. All storm mustache template
uses {{}} so all the user entered content is treated as unsafe. I tried
replicating your example and even though the script is rendered , the browser
indeed does not run the alert as it is already escaped. If I change the
template from unsafe {{unsafe data}} to safe {{{safe data}}} tag then the alert
pops up.
Let me know if you still think storm ui has this vulnerability. Otherwise ,
please confirm here that the vulnerability does not exist so someone can
resolve this JIRA.
> Cross-Site Scripting security vulnerability
> -------------------------------------------
>
> Key: STORM-408
> URL: https://issues.apache.org/jira/browse/STORM-408
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Affects Versions: 0.9.3-incubating
> Environment: Java
> Reporter: Anand Krishnan
> Labels: security
> Fix For: 0.9.3-incubating, feature-security
>
>
> There are Cross-Site Scripting security vulnerabilities in Apache Storm.
> The risk is that it is possible to steal or manipulate customer session and
> cookies, which might be used to impersonate a legitimate user, allowing the
> hacker to view or alter user records, and to perform transactions as that
> user.
> The reason is that sanitation of hazardous characters was not performed
> correctly on user input.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
