Title: Message Title
|
|
|
|
I fully agree with that, Andrea.
Collection/community can only be changed by admins.
Submissions that go through workflow will be inspected.
It seems the most risky case is submission without workflow.
I've tested this case, and viewing the submission is safe. Values are changed to entity in ItemTag.java.
The only place that runs XSS is the "Recent Submissions" carousel.
Thank you so much for working on this Andrea. Much appreciated.
I've been trying to find a solution using HttpServletRequestWrapper but it's not optimal.
|
|
|
|
|
|
|
On the collection home page in JSPUI, there is a list of recent submissions that lists the titles of few items in the collection.
The title strings do not pass Java's addEntities method and embeded _javascript_/css will be evaluated by the browser.
To fix, add "Utils.addEntities" to "dcv[0].value" in "collection-home.jsp"
|
|
|
|
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Dspace-devel mailing list
Dspace-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-devel
