Christophe, I guess you shouldn't reopen issues fixed for a released version. There are official release notes where this issue is marked as open now. Please clone issues if needed.
On Tue, Aug 31, 2010 at 3:19 PM, Christophe Cordenier (JIRA) < [email protected]> wrote: > > [ > https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel] > > Christophe Cordenier reopened TAP5-1057: > ---------------------------------------- > > Assignee: Christophe Cordenier (was: Igor Drobiazko) > > I will apply it on 5.1.0.8-SNAPSHOT too > > > XSS vulnerability in calendar component > > --------------------------------------- > > > > Key: TAP5-1057 > > URL: https://issues.apache.org/jira/browse/TAP5-1057 > > Project: Tapestry 5 > > Issue Type: Bug > > Components: tapestry-core > > Affects Versions: 5.1.0.5 > > Reporter: François Facon > > Assignee: Christophe Cordenier > > Fix For: 5.2.0 > > > > Attachments: datefield_js.patch, datefield_js.patch > > > > > > The calendar component provided in tapestry 5.1.0.5 could be used to > allow code injection by malicious web users into any page that uses > datefield . > > To reproduce the vulnerability, put js code like <script>alert("T5 is > great"); </script> in any datefield and click on the related calendar bitma > > After quick search in the DateField.js, it seems like the field value is > not escaping > > escaping with a change like var value = escape($F(this.field)); the > field value seems solve this vulnerability. > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > > -- Best regards, Igor Drobiazko http://tapestry5.de
