PowerCOM_STARWAR created FREEMARKER-189:
-------------------------------------------
Summary: The Built-in constructs like "?html" has security issues
Key: FREEMARKER-189
URL: https://issues.apache.org/jira/browse/FREEMARKER-189
Project: Apache Freemarker
Issue Type: Bug
Components: jsp
Affects Versions: 2.3.29, 2.3.28
Environment: just normal environment, no special
Reporter: PowerCOM_STARWAR
Attachments: StringUtil.java
1. When i develop the JSP page, for the reason of security, i use the "?html"
to encode the attribute "onclick" in the button.ftl as below:
<span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class="
${(css!'')?html}" <@htmc.disabled /> <#if
btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
<#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
2. in the jsp b.jsp, i write as this: <powercom: button id="game"
onclick="submit('${name}')" />;
3. The varaible name comes from another page a.jsp,user can input the value for
the parameter: name,then user can jump to b.jsp;
4. if i input the value for name is "*);console.log(1)//*" or "*);alert(1)//*",
attention, it simulates an attack, it will be executed when i jump to the b.jsp;
5.because the build-in construct: "?html" does not escape the left and right
parentheses: "( " and ")", so the attack statements can be executed. I think
the left and right parentheses: "( " and ")" should be escaped for the "?html"
build-in construct. Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
