[jira] [Comment Edited] (FREEMARKER-189) The Built-in constructs like "?html" has security issues

Sun, 05 Sep 2021 20:41:36 -0700 


    [ 
https://issues.apache.org/jira/browse/FREEMARKER-189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17410343#comment-17410343
 ] 

PowerCOM_STARWAR edited comment on FREEMARKER-189 at 9/6/21, 3:40 AM:
----------------------------------------------------------------------

The varaiable "*btnOnClick*"  will be assigned as the value 
"*submit('${name}')*", then the attack statement is spliced as this:

onclick="submit('');*alert(1)*//')"


was (Author: powercom_starwar):
The varaiable "*btnOnClick*" * *will be assigned*  *the value*  
*"*submit('${name}')*", then the attack statement is spliced as this:

onclick="submit('');*alert(1)*//')"

> The Built-in constructs like "?html" has security issues
> --------------------------------------------------------
>
>                 Key: FREEMARKER-189
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-189
>             Project: Apache Freemarker
>          Issue Type: Bug
>          Components: jsp
>    Affects Versions: 2.3.28, 2.3.29
>         Environment: just normal environment, no special
>            Reporter: PowerCOM_STARWAR
>            Priority: Major
>              Labels: security
>         Attachments: StringUtil.java
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> 1. When i develop the JSP page, for the reason of security, i use the "?html" 
> to encode the attribute "onclick" in the button.ftl as below:
> <span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class=" 
> ${(css!'')?html}" <@htmc.disabled /> <#if 
> btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
> <#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
> 2. in the jsp b.jsp, i write as this: <powercom: button id="game" 
> onclick="submit('${name}')" />;
> 3. The varaible name comes from another page a.jsp,user can input the value 
> for the parameter: name,then user can jump to b.jsp;
> 4. if i input the value for name is "*);console.log(1)//*" or 
> "*);alert(1)//*", attention, it simulates an attack, it will be executed when 
> i jump to the b.jsp;
> 5.because the build-in construct: "?html" does not escape the  left and right 
> parentheses: "( " and ")", so the attack statements can be executed.  I think 
> the left and right parentheses: "( " and ")" should be escaped for the 
> "?html" build-in construct. Thanks



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to