Hello,
we've come across an issue in version 1.0.4 of the Deltaspike JSF module. In
case one manipulates the dswid-Parameter generated by DeltaSpike in the
following way:
http://host/pages/mypage.xhtml?dswid=7479%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E
and the underlying page
Txs for the report Heiko! We already discussed this and Gerhard will post a
workaround. Of course we will also fix this in trunk for our upcoming release.
LieGrue,
strub
On Saturday, 25 October 2014, 19:07, it-media.k...@extaccount.com
it-media.k...@extaccount.com wrote:
Hello,
we've
hi heiko,
first of all thx for reporting the issue!
(in case of security issues, please contact the private list first.)
fyi: it's even easier to prevent it.
just use e.g. a specialized ClientWindow like:
e.g.:
@Specializes
public class SecuredClientWindow extends DefaultClientWindow
{
fyi: i've pushed a fix for the upcoming release.
@mark and thomas:
if you documented details
about org.apache.deltaspike.jsf.spi.scope.window.ClientWindow and possible
customizations, please update the documentation as well.
thx regards,
gerhard
2014-10-25 21:10 GMT+02:00 Gerhard Petracek
btw.: that was the initial reason
for WindowContextConfig#isUnknownWindowIdsAllowed in codi.
however, i secured the rendered window-id as well - there can be only an
issue if users customize the renderer as well as the client-window.
in that case it isn't in our range anyway.
@mark and thomas:
i