click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob Schellink (JIRA)" <>
Subject [jira] [Resolved] (CLK-762) Cross Site Scripting Issue in ErrorPage
Date Sun, 24 Apr 2011 14:50:05 GMT


Bob Schellink resolved CLK-762.

    Resolution: Fixed
      Assignee: Bob Schellink

Thanks, fix checked in

> Cross Site Scripting Issue in ErrorPage
> ---------------------------------------
>                 Key: CLK-762
>                 URL:
>             Project: Click
>          Issue Type: Bug
>         Environment: N/A
>            Reporter: Tsuyoshi Yamamoto
>            Assignee: Bob Schellink
>   Original Estimate: 1h
>  Remaining Estimate: 1h
> Click 2.3.0 line 289 in should be HTMLescaped, because QueryString may
include the malicious HTML / JavaScript which causes Cross Site Scripting on ErrorPage.
> For example, Click causes java.lang.NumberFormatException when the query string 'id'
expects a value in integer but string is passed. And if the string is '241<script>alert(20908)</script>'
then we can see the popup on ErrorPage that results the vulnerability of the webapp.

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message