[jira] [Resolved] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java

Mark Struberg (JIRA) Sat, 30 Dec 2017 06:41:18 -0800

     [ 
https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mark Struberg resolved DELTASPIKE-1307.
---------------------------------------
       Resolution: Fixed
    Fix Version/s: 1.8.1

Txs for the report, that part should now be fixed!

> Deltaspike JSF: XSS WindowIdHtmlRenderer.java
> ---------------------------------------------
>
>                 Key: DELTASPIKE-1307
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307
>             Project: DeltaSpike
>          Issue Type: Bug
>          Components: JSF-Module
>    Affects Versions: 1.8.0
>         Environment: any
>            Reporter: md
>            Assignee: Mark Struberg
>            Priority: Blocker
>              Labels: security
>             Fix For: 1.8.1
>
>
> 10 chars ough to be enough for XSS.
> Try escaping your variables.
> https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
> Line 80
> PoC
> dswid='-open()-'



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Resolved] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java

Reply via email to