[jira] [Updated] (VELTOOLS-126) XSS Vulnerability when using struts/ErrorsTool.getMsgs

Sun, 24 Jun 2018 23:30:13 -0700 


     [ 
https://issues.apache.org/jira/browse/VELTOOLS-126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Osipov updated VELTOOLS-126:
------------------------------------
    Fix Version/s:     (was: 3.0)

> XSS Vulnerability when using struts/ErrorsTool.getMsgs
> ------------------------------------------------------
>
>                 Key: VELTOOLS-126
>                 URL: https://issues.apache.org/jira/browse/VELTOOLS-126
>             Project: Velocity Tools
>          Issue Type: Bug
>          Components: VelocityStruts
>    Affects Versions: 1.4, 2.x
>         Environment: Identified in velocity-tools 1.4, verified by reading 
> code in trunk.
>            Reporter: Christopher Schultz
>            Priority: Major
>
> The code for ErrorsTool.getMsgs goes roughly like this:
> String message = message("errors.header");
> foreach(error) {
>   message += message("errors.prefix") + error + message("errors.suffix")
> message += message("errors.footer")
> return message;
> This is easily open to an XSS attack when an error message contains user 
> input.
> Honestly, I'm not entirely sure if we should even do anything about this, 
> because the ErrorsTool is not strictly for use in an HTML context, so 
> escaping the error message itself may not be appropriate. Also, the message 
> itself may contain markup which the developer wants to remain, while the user 
> input should be escaped.
> It's possible that the solution to this problem is to put a big warning on 
> the tool that XSS attacks are very easy using this tool.
> I've been running with it for years, and didn't notice until today. I 
> replaced my use of errors.getMsgs with this:
>     $!msg.errors.header
>     #foreach($error in $errors.get($fieldName))
>     $!msg.errors.prefix#htmlEscape($error)$!msg.errors.suffix
>     #end
>     $!msg.errors.header
> ...which is appropriate for my uses, but might not work for everyone.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org
For additional commands, e-mail: dev-h...@velocity.apache.org

Reply via email to