Hello all, thanks to the contributation of Danny Leshem, a potential vulnerability has been fixed today in the current snapshot of the 2.0 and 2.1 branches, and the current master (future release 2.2). This vulnerability may be exploited when generating the representation of a failure response. By default, the status filter generates an HTML representation that includes data from the error status, especially its description. In case this description integrates data coming from the client request (for example a Web form), the older code did not take care to escape the untrusted data into the HTML content. This could lead to allow the injection of Javascript code into the error status page. The fix consists in escaping the data (with org.restlet.engine.util.StringUtils#htmlEscape) before inserting it into the HTML content. This fix has been applied to 2.0 and 2.1 branches, and the current master.
In case you customize the status filter, we also suggest you to call the org.restlet.engine.util.StringUtils#htmlEscape method in order to prevent such potential issue. Best regards, Thierry Boileau ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2983690