Thanks, I'll have a look. On Fri, Apr 30, 2010 at 10:16 AM, Nourredine K. <[email protected]>wrote:
> > Hi, > > I think there is another vulnerability in the datefield.js script. It can > happen, in the ajax response, when you select a date from the calendar. > (please, refer to the last patch on > https://issues.apache.org/jira/browse/TAP5-1057. Still need to replace > escape function by String.escapeHTML as you've suggested) > > To reproduce the xss attack, our client uses a proxy. After selecting a > date > from the calendar, modify the url by adding a js code at the end (the > resulted url looks like http > > ://server:port/context/pagename.componentid:format?input=1268652856000""><script>alert("T5 > is great!");</script>) > > > > drobiazko wrote: > > > > Author: drobiazko > > Date: Thu Apr 29 19:55:34 2010 > > New Revision: 939469 > > > > URL: http://svn.apache.org/viewvc?rev=939469&view=rev > > Log: > > TAP5-1057: XSS vulnerability in calendar component > > > > Modified: > > > > > tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js > > > > > tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java > > > > Modified: > > > tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js > > URL: > > > http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=939469&r1=939468&r2=939469&view=diff > > > ============================================================================== > > --- > > > tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js > > (original) > > +++ > > > tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js > > Thu Apr 29 19:55:34 2010 > > @@ -48,7 +48,7 @@ Tapestry.DateField = Class.create( { > > } > > } > > > > - var value = $F(this.field); > > + var value = $F(this.field).escapeHTML(); > > > > if (value == "") { > > this.datePicker.setDate(null); > > > > Modified: > > > tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java > > URL: > > > http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java?rev=939469&r1=939468&r2=939469&view=diff > > > ============================================================================== > > --- > > > tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java > > (original) > > +++ > > > tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java > > Thu Apr 29 19:55:34 2010 > > @@ -231,6 +231,19 @@ public class FormTests extends TapestryC > > > > clickAndWait("link=english"); > > } > > + > > + // TAP5-1057 > > + @Test > > + public void xss_datefield() > > + { > > + clickThru("DateField Demo", "clear", "english"); > > + > > + type("asteroidImpact", "<script>alert('T5 is great'); > > </script>"); > > + > > + click("id=asteroidImpact-trigger"); > > + > > + assertBubbleMessage("asteroidImpact", "Unparseable date: > > \"<script>alert('T5 is great'); </script>\""); > > + } > > > > @Test > > public void event_based_translate() throws Exception > > > > > > > > > > -- > View this message in context: > http://old.nabble.com/svn-commit%3A-r939469---in--tapestry-tapestry5-trunk-tapestry-core-src%3A-main-resources-org-apache-tapestry5-corelib-components-datefield.js-test-java-org-apache-tapestry5-integration-app1-FormTests.java-tp28405123p28409620.html > Sent from the Tapestry - Dev mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Best regards, Igor Drobiazko http://tapestry5.de/blog
