Return-Path: 
 <dev-return-37426-apmail-activemq-dev-archive=activemq.apache.org@activemq.apache.org>
X-Original-To: apmail-activemq-dev-archive@www.apache.org
Delivered-To: apmail-activemq-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 14471F3F1
	for <apmail-activemq-dev-archive@www.apache.org>;
 Thu, 21 Mar 2013 13:29:18 +0000 (UTC)
Received: (qmail 65433 invoked by uid 500); 21 Mar 2013 13:29:17 -0000
Delivered-To: apmail-activemq-dev-archive@activemq.apache.org
Received: (qmail 65210 invoked by uid 500); 21 Mar 2013 13:29:17 -0000
Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@activemq.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@activemq.apache.org>
List-Post: <mailto:dev@activemq.apache.org>
List-Id: <dev.activemq.apache.org>
Reply-To: dev@activemq.apache.org
Delivered-To: mailing list dev@activemq.apache.org
Received: (qmail 65168 invoked by uid 99); 21 Mar 2013 13:29:16 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Mar 2013 13:29:16 +0000
Date: Thu, 21 Mar 2013 13:29:16 +0000 (UTC)
From: "Dejan Bosanac (JIRA)" <jira@apache.org>
To: dev@activemq.apache.org
Message-ID: <JIRA.12638204.1363861669227.26660.1363872556084@arcas>
In-Reply-To: <JIRA.12638204.1363861669227@arcas>
References: <JIRA.12638204.1363861669227@arcas>
Subject: [jira] [Resolved] (AMQ-4398) XSS vulnerability in demo web
 application
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/AMQ-4398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dejan Bosanac resolved AMQ-4398.
--------------------------------

    Resolution: Fixed

fixed with svn revision 1459301
                
> XSS vulnerability in demo web application 
> ------------------------------------------
>
>                 Key: AMQ-4398
>                 URL: https://issues.apache.org/jira/browse/AMQ-4398
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.8.0
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.9.0
>
>
> Portfolio publisher servlet doesn't sanitize input. For example he following url in Firefox 
> http://localhost:8161/demo/portfolioPublish?count=1&refresh=%27%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E&stocks=IBMW&stocks=BEAS&stocks=MSFT&stocks=SUNW
> will trigger JS code.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira