[
https://issues.apache.org/jira/browse/FREEMARKER-189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
PowerCOM_STARWAR updated FREEMARKER-189:
----------------------------------------
Description:
1. When i develop the JSP page, for the reason of security, i use the "?html"
to encode the attribute "onclick" in the button.ftl as below:
<span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class="
${(css!'')?html}" <@htmc.disabled /> <#if
btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
<#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
2. in the jsp b.jsp, i write as this: <powercom: button id="game"
onclick="submit('${name}')" />;
3. The varaible name comes from another page a.jsp,user can input the value for
the parameter: name,then user can jump to b.jsp;
4. if i input the value for name is "*);console.log(1)//*" or "*);alert(1)//*",
attention, it simulates an attack, it will be executed when i jump to the
b.jsp,the varaiable "*btnOnClick*" will be assigned as the value
"*submit('${name}')*", then the attack statement is spliced as this:
onclick="submit('');*alert(1)*//')";
5.because the build-in construct: "?html" does not escape the left and right
parentheses: "( " and ")", the attack statements can be executed. I think the
left and right parentheses: "( " and ")" should be escaped for the "?html"
build-in construct. Thanks
was:
1. When i develop the JSP page, for the reason of security, i use the "?html"
to encode the attribute "onclick" in the button.ftl as below:
<span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class="
${(css!'')?html}" <@htmc.disabled /> <#if
btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
<#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
2. in the jsp b.jsp, i write as this: <powercom: button id="game"
onclick="submit('${name}')" />;
3. The varaible name comes from another page a.jsp,user can input the value for
the parameter: name,then user can jump to b.jsp;
4. if i input the value for name is "*);console.log(1)//*" or "*);alert(1)//*",
attention, it simulates an attack, it will be executed when i jump to the b.jsp;
5.because the build-in construct: "?html" does not escape the left and right
parentheses: "( " and ")", the attack statements can be executed. I think the
left and right parentheses: "( " and ")" should be escaped for the "?html"
build-in construct. Thanks
> The Built-in constructs like "?html" has security issues
> --------------------------------------------------------
>
> Key: FREEMARKER-189
> URL: https://issues.apache.org/jira/browse/FREEMARKER-189
> Project: Apache Freemarker
> Issue Type: Bug
> Components: jsp
> Affects Versions: 2.3.28, 2.3.29
> Environment: just normal environment, no special
> Reporter: PowerCOM_STARWAR
> Priority: Major
> Labels: security
> Attachments: StringUtil.java
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> 1. When i develop the JSP page, for the reason of security, i use the "?html"
> to encode the attribute "onclick" in the button.ftl as below:
> <span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class="
> ${(css!'')?html}" <@htmc.disabled /> <#if
> btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
> <#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
> 2. in the jsp b.jsp, i write as this: <powercom: button id="game"
> onclick="submit('${name}')" />;
> 3. The varaible name comes from another page a.jsp,user can input the value
> for the parameter: name,then user can jump to b.jsp;
> 4. if i input the value for name is "*);console.log(1)//*" or
> "*);alert(1)//*", attention, it simulates an attack, it will be executed when
> i jump to the b.jsp,the varaiable "*btnOnClick*" will be assigned as the
> value "*submit('${name}')*", then the attack statement is spliced as this:
> onclick="submit('');*alert(1)*//')";
> 5.because the build-in construct: "?html" does not escape the left and right
> parentheses: "( " and ")", the attack statements can be executed. I think
> the left and right parentheses: "( " and ")" should be escaped for the
> "?html" build-in construct. Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
