XSS Vulnerability when using struts/ErrorsTool.getMsgs
------------------------------------------------------
Key: VELTOOLS-126
URL: https://issues.apache.org/jira/browse/VELTOOLS-126
Project: Velocity Tools
Issue Type: Bug
Components: VelocityStruts
Affects Versions: 1.4, 2.x
Environment: Identified in velocity-tools 1.4, verified by reading
code in trunk.
Reporter: Christopher Schultz
The code for ErrorsTool.getMsgs goes roughly like this:
String message = message("errors.header");
foreach(error) {
message += message("errors.prefix") + error + message("errors.suffix")
message += message("errors.footer")
return message;
This is easily open to an XSS attack when an error message contains user input.
Honestly, I'm not entirely sure if we should even do anything about this,
because the ErrorsTool is not strictly for use in an HTML context, so escaping
the error message itself may not be appropriate. Also, the message itself may
contain markup which the developer wants to remain, while the user input should
be escaped.
It's possible that the solution to this problem is to put a big warning on the
tool that XSS attacks are very easy using this tool.
I've been running with it for years, and didn't notice until today. I replaced
my use of errors.getMsgs with this:
$!msg.errors.header
#foreach($error in $errors.get($fieldName))
$!msg.errors.prefix#htmlEscape($error)$!msg.errors.suffix
#end
$!msg.errors.header
...which is appropriate for my uses, but might not work for everyone.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
