click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tsuyoshi Yamamoto (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLK-762) Cross Site Scripting Issue in ErrorPage
Date Sun, 24 Apr 2011 14:27:05 GMT
Cross Site Scripting Issue in ErrorPage
---------------------------------------

                 Key: CLK-762
                 URL: https://issues.apache.org/jira/browse/CLK-762
             Project: Click
          Issue Type: Bug
         Environment: N/A
            Reporter: Tsuyoshi Yamamoto


Click 2.3.0 line 289 in ErrorReport.java should be HTMLescaped, because QueryString may include
the malicious HTML / JavaScript which causes Cross Site Scripting on ErrorPage.

For example, Click causes java.lang.NumberFormatException when the query string 'id' expects
a value in integer but string is passed. And if the string is '241<script>alert(20908)</script>'
then we can see the popup on ErrorPage that results the vulnerability of the webapp.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message