Sergey Beryozkin created CXF-7128:
-------------------------------------
Summary: Review the possibility of using OWASP Sanitizer in
FormattedServiceListWriter
Key: CXF-7128
URL: https://issues.apache.org/jira/browse/CXF-7128
Project: CXF
Issue Type: Improvement
Components: Transports
Reporter: Sergey Beryozkin
Fix For: NeedMoreInfo
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project project (and
related projects) offer a number of ways to protect against XSS.
Right now CXF ServletController uses BaseUrlHelper to recreate an absolute URL
it listens upon, by removing all the matrix parameters which were shown to pose
a risk (CXF-6216).
The question is: is CXF-6216 fix sufficient or some more formal approach is
needed.
My own opinion right now is that a CXF-6216 fix is good and there's no obvious
need to add another library unless a new concrete attack is discovered.
CXF-6216 fix results in all the matrix parameters, if any, being removed. The
encoding approach will keep them in the encoded form in service URIs which will
be shown to the user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
