[ https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin updated CXF-6216: ---------------------------------- Assignee: Sergey Beryozkin Priority: Critical (was: Major) Fix Version/s: 3.0.12 3.1.9 3.2.0 Component/s: (was: Core) Transports Prioritizing for 3.1.9 > No output sanitizing in FormattedServiceListWriter > --------------------------------------------------- > > Key: CXF-6216 > URL: https://issues.apache.org/jira/browse/CXF-6216 > Project: CXF > Issue Type: Bug > Components: Transports > Affects Versions: 3.0.1 > Reporter: Donald Kwakkel > Assignee: Sergey Beryozkin > Priority: Critical > Fix For: 3.2.0, 3.1.9, 3.0.12 > > > No output sanitizing is done, which makes the code vulnerable for injection. > I do not have a specific use case, but it is good habit to do. Maybe you can > use the OWASP Sanitizer: > https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project > One example from the file: > writer.write("<span class=\"field\">Endpoint address:</span> " + > "<span class=\"value\">" > + absoluteURL + "</span>"); -- This message was sent by Atlassian JIRA (v6.3.4#6332)